← Back to Explore
elasticmediumTTP
AWS RDS DB Instance or Cluster Deletion Protection Disabled
Identifies the modification of an AWS RDS DB instance or cluster to disable the deletionProtection feature. Deletion protection prevents accidental or unauthorized deletion of RDS resources. Adversaries with sufficient permissions may disable this protection as a precursor to destructive actions, including the deletion of databases containing sensitive or business-critical data. This rule alerts when deletionProtection is explicitly set to false on an RDS DB instance or cluster.
Detection Query
any where data_stream.dataset == "aws.cloudtrail"
and event.provider == "rds.amazonaws.com"
and event.action in ("ModifyDBInstance", "ModifyDBCluster")
and event.outcome == "success"
and stringContains(aws.cloudtrail.request_parameters, "deletionProtection=false")
Author
Elastic
Created
2024/06/28
Data Sources
AWSAmazon Web ServicesAWS RDSfilebeat-*logs-aws.cloudtrail-*
References
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS RDSResources: Investigation GuideUse Case: Threat DetectionTactic: Impact
Raw Content
[metadata]
creation_date = "2024/06/28"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
description = """
Identifies the modification of an AWS RDS DB instance or cluster to disable the deletionProtection feature. Deletion
protection prevents accidental or unauthorized deletion of RDS resources. Adversaries with sufficient permissions may
disable this protection as a precursor to destructive actions, including the deletion of databases containing sensitive
or business-critical data. This rule alerts when deletionProtection is explicitly set to false on an RDS DB instance or
cluster.
"""
false_positives = [
"""
The deletionProtection feature must be disabled as a prerequisite for deletion of a DB instance or cluster. Ensure
that the instance should not be modified in this way before taking action.
""",
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "eql"
license = "Elastic License v2"
name = "AWS RDS DB Instance or Cluster Deletion Protection Disabled"
note = """## Triage and analysis
### Investigating AWS RDS DB Instance or Cluster Deletion Protection Disabled
Deletion protection is designed to safeguard RDS DB instances and clusters from accidental or unauthorized deletion. An adversary with privileged access in a compromised environment, can disable this safeguard before issuing a `DeleteDBInstance` or `DeleteDBCluster` action. This rule detects successful attempts to modify deletionProtection and set it to false on any RDS instance or cluster.
#### Possible investigation steps
- **Identify the Actor**
- Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `access_key_id` to determine which IAM principal made the change.
- Validate whether this principal normally performs RDS lifecycle operations.
- **Review Event Details**
- Inspect `aws.cloudtrail.request_parameters` to confirm the targeted DB instance or cluster identifier.
- Confirm that the request explicitly contains `deletionProtection=false`.
- **Contextualize the Change**
- Determine if recent activities justify the removal of deletion protection (migration, decommissioning, or maintenance).
- Compare the timestamp to normal operational hours or deployment windows.
- **Correlate with Additional Activity**
- Look for subsequent or preceding RDS actions such as:
- `DeleteDBInstance`
- `DeleteDBCluster`
- Security group modifications
- Changes to parameter groups or backup retention policies.
- Sudden removal of backups or snapshots may indicate imminent destructive activity.
- **Verify Environmental Risk**
- Assess the sensitivity of data stored in the affected DB instance or cluster.
- Determine if the instance is production, customer-facing, or mission-critical.
- **Interview Relevant Personnel**
- Confirm with service owners or DB administrators whether the modification was intended and approved.
### False positive analysis
- **Expected Decommissioning**
- Instances undergoing teardown or migration legitimately require deletion protection to be disabled first.
- **Inconsistent Historical Behavior**
- Compare the action to historical modification patterns for the user or role. If the action aligns with past legitimate changes, it may not be suspicious.
### Response and remediation
- **Immediate Remediation**
- If unauthorized, re-enable deletion protection (`deletionProtection=true`) on the affected DB instance or cluster.
- Review security groups, backup retention, and snapshot policies for additional unauthorized changes.
- **Access Review**
- Investigate credential exposure for the IAM principal that performed the action.
- Rotate access keys or temporarily revoke permissions if compromise is suspected.
- **Containment**
- If destructive intent is suspected, apply guardrails (e.g., IAM condition keys, SCPs) to prevent DB deletion.
- **Audit and Harden**
- Ensure RDS instances adhere to least-privilege principles.
- Restrict who can modify `ModifyDBInstance` or `ModifyDBCluster` destructive settings, such as deletion protection, backup retention, and public accessibility.
- **Incident Response Activation**
- Treat unauthorized removal of deletion protection as a high-risk precursor to data destruction.
- Trigger IR processes for containment, root cause analysis, and post-incident hardening.
### Additional information
- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
"""
references = [
"https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html",
"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html",
]
risk_score = 47
rule_id = "f6652fb5-cd8e-499c-8311-2ce2bb6cac62"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS RDS",
"Resources: Investigation Guide",
"Use Case: Threat Detection",
"Tactic: Impact",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where data_stream.dataset == "aws.cloudtrail"
and event.provider == "rds.amazonaws.com"
and event.action in ("ModifyDBInstance", "ModifyDBCluster")
and event.outcome == "success"
and stringContains(aws.cloudtrail.request_parameters, "deletionProtection=false")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1578"
name = "Modify Cloud Compute Infrastructure"
reference = "https://attack.mitre.org/techniques/T1578/"
[[rule.threat.technique.subtechnique]]
id = "T1578.005"
name = "Modify Cloud Compute Configurations"
reference = "https://attack.mitre.org/techniques/T1578/005/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
"aws.cloudtrail.response_elements",
]