Attacking AWS RDS

What is AWS RDS ?

AWS RDS stands for Amazon Web Services Relational Database Service. It is a managed database service offered by Amazon that makes it easier to set up, operate, and scale a relational database in the cloud. With AWS RDS, you can choose from several popular relational database engines, such as MySQL, PostgreSQL, SQL Server, MariaDB, and Oracle, and Amazon takes care of the underlying infrastructure, including database patching, backups, and maintenance tasks.

AWS RDS provides features like automated backups, high availability, and the ability to easily scale your database resources up or down as your application’s needs change. This service is designed to simplify database management tasks, reduce administrative overhead, and improve the overall reliability and performance of your relational databases in an AWS environment.

What is RDS Snapshot ?

An RDS snapshot in Amazon Relational Database Service captures a point-in-time copy of a database instance, including data, schema, and settings. Used for backup and recovery, it ensures data consistency and flexibility. Snapshots support cloning, migration, and instance creation, aiding in development, testing, and disaster recovery. With a specified retention period, users can manage storage costs effectively. Encryption adds an extra layer of security, and automated backups simplify regular snapshot creation. Sharing options facilitate collaboration, making RDS snapshots a versatile tool for maintaining data integrity and managing relational databases on AWS.

Understanding Scenario

In this particular scenario, we are going to look at how we can exploit and exfiltrate data from the public snapshot which is an AWS RDS misconfiguration which many people do to share the database with different accounts but rather than sharing it with particular AWS account they made the snapshot public without even enabling the encryption for the respective RDS Database. This allows the attackers to gain access to data inside the database without any hurdles like the crossing encryption layers and access controls layers because by default when you create the database from the public snapshot you can easily change the master password for that particular RDS Database.

Lab

Navigate to the Public Snapshot section in the AWS RDS Service and search for the specific string that can be the company name or anything else to check for the public RDS instance for that specific string.

Now open the Snapshot in the new tab and from the actions tab select “Restore Snapshot“ for making the new db in your account with the public snapshot.

Now while configuring the database from the snapshot make sure to select “Yes“ to enable public access on the database.

Now once the database status is “avalaible” click on the “Modify” tab for creating the master password of the database.

Now configure the security group for the database and open the port 3306 for your particular IP so that we can access the database.

Now copy the endpoint from the database section of the respective database.

Now connect with the database using mysql client in linux with the below command.

mysql -u <username> -p -h <databaseendpoint>