New findings from Mitiga researchers allege that hundreds of databases on Amazon Relational Database Services (Amazon RDS) are exposing personal identifiable information (PII). Leaked information purportedly includes names, email addresses, DOB, marital status and even company logins. Mitiga claims the leaks offer a “treasure trove” for threat actors either during the reconnaissance phase of the cyber kill chain or for ransomware campaigns.
Impact
Amazon RDS is a web service that makes it possible to set up relational databases in the Amazon Web Services (AWS) cloud. It supports MySQL, Oracle, PostregreSQL and other database engines. The root cause of the leaks stems from a feature called public RDS snapshots, which allows users to create a backup of the entire database environment running in the cloud and can be accessed by all AWS accounts. When a snapshot is shared publicly, even for a few minutes, it gives all AWS accounts permission both to copy the snapshot and to create DB instances from it.
DXC perspective
Assume the worst and don’t make a snapshot public unless you are 100% certain that the meta data and content contain no sensitive data. Proper identity management and governance, including least-privilege permissions policies, limit risk. Encrypting snapshots with a KMS key also prevents public sharing.