- Le plus récent
- Le plus de votes
- La plupart des commentaires
Hello!
Hopefully I can provide some clarity on this for you! As per the blog post that you shared, Amazon GuardDuty does generate findings related to Amazon RDS. However, as you point out, RDS is not listed in the GuardDuty Finding types documentation.
This is because exfiltration-related RDS findings are created based on AWS CloudTrail management logs and fall under the Exfiltration:IAMUser/AnomalousBehavior
finding type. Note that findings ending with /AnomalousBehavior
are generated by GuardDuty's anomaly detection machine learning model, considering details like the requester, the location that the request originated from, and the specific API call that was made. I don't have an exhaustive list of all of the RDS API calls that could trigger this finding type, but from the documentation for this finding type:
"The API observed is commonly associated with exfiltration tactics where an adversary is trying to collect data from your network using packaging and encryption to avoid detection. APIs for this finding type are management (control-plane) operations only and are typically related to S3, snapshots, and databases, such as, PutBucketReplication, CreateSnapshot, or RestoreDBInstanceFromDBSnapshot."
When a finding like this is created, it will look very similar to the example in the blog post, except instead of the Discovery
finding type, it will be Exfiltration
. You'll have visibility into all of the request details, as well as the API calls that were determined to be anomalous.
To learn more about this, I'd recommend exploring the IAM finding types documentation - especially the findings ending in IAMUser/AnomalousBehavior
. Also, if you need an example to share for your audit, you can generate sample findings by following these steps.
Contenus pertinents
- demandé il y a 9 mois
- demandé il y a 8 mois
- demandé il y a un an
- demandé il y a 3 mois
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 3 ans
- AWS OFFICIELA mis à jour il y a un an