Research conducted by Mitiga was released today, analyzing the potential risk of exposure of Personally Identifiable Information in the Amazon Relational Database Service.
Amazon RDS may expose PII.
Mitiga released research today discussing the exposure of Personally Identifiable Information (PII) in Amazon Relational Database Service (Amazon RDS) snapshots. Amazon RDS is described as a Platform-as-a-Service (PaaS) that provides a database platform based on optional engines such as MySQL and PostgreSQL, and RDS snapshots are used to help back up databases.
Attacker tactics against Amazon RDS.
Researchers discovered RDS snapshots that were shared publicly for hours, days, and weeks, both intentionally and by mistake, and created a way to exploit the issue to mimic attackers. The team created an AWS-native technique to extract information from RDS snapshots. The steps are described as follows:
- “Scan — Hourly scan for DB snapshots that have been marked as public from all regions (except the regions not enabled by default: af-south-1, ap-east-1, ap-southeast-3, eu-south-1, eu-central-2, me-south-1 and me-central-1.)
- “Clone — Clone the snapshot to our own AWS account and maintain a state file to make sure we are not cloning duplicates.
- “List — Create a list of cloned RDS snapshots to extract, making sure we are not creating a DB instance from a snapshot that was examined in the past.
- “Prepare — Get a list of snapshot ARNs and create a DB instance out of it. To do so we reset the master password so we can create and access the restored DB instance.
- “Extract — Automatically extract DB schema (particularly the table names and column names) as well as the table's content (limit 10,000 lines per table) to S3 for further analysis.
- “Cleanup — Delete the DB instances to cut charges.”
Key insights in the vulnerability.
Researchers found that the total number of snapshots seen in the month analyzed was 2,783, and of those, 810 were exposed during the timeframe being analyzed. 1,859 of the snapshots were exposed for only a day or two. This was also discovered to be occurring worldwide.
Mitigating the risk to RDS.
The Mitiga team says that an email should be sent from Amazon notifying you of a public snapshot in your account after sharing a snapshot publicly. There is also a tool called ‘AWS Trusted Advisor’ that recommends steps to improve your environment in different ways; costs, performance, and security. Public snapshots will cause the ‘Trusted Advisor’ widget to warn of an ‘Action recommended.’ Provided in the research as well are ways to check for public screenshots.