Skip to content

Beginner Lab red team icon   aws

Pillage Exposed RDS Instances

Learn about the danger of publicly accessible Amazon Relational Database Service (RDS) instances, and how this can be leveraged by an attacker!

Overview

We created this beginner-friendly lab to teach about the danger of publicly accessible Amazon Relational Database Service (RDS) instances, and how this can be leveraged by an attacker. Advice on remediation and detection is also included.

Scenario

"In the backdrop of rising cybersecurity threats, with chatter on Telegram channels hinting at data dumps and Pastebin snippets exposing snippets of configurations, Huge Logistics is taking no chances. They've enlisted your team's expertise to rigorously assess their cloud infrastructure. Armed with a list of IP addresses and endpoints, a lead emerged - an RDS endpoint: exposed.cw9ow1llpfvz.eu-north-1.rds.amazonaws.com. Your mission? Dive deep into this endpoint's security, and identify any security issues before threat actors do.
"

Lab prerequisites
  • Basic Linux command line knowledge
Learning outcomes
  • Familiarity with Nmap and the mysql-brute script
  • Familiarity with the MySQL cli
  • An awareness of how this could be remediated and detected
Real-world context

Amazon Relational Database Service (RDS) is a web service that allows for easy set up, operation, and scaling of relational databases in the cloud. Administration tasks such as hardware provisioning, database setup, patching, and backups are handled by AWS, allowing us to spend more time at the application level.

Amazon RDS supports several database instances including:

  • Amazon Aurora (port 3306)
  • PostgreSQL (5432)
  • MySQL (port 3306)
  • MariaDB (port 3306)
  • Oracle Database (port 1521)
  • SQL Server (port 1433)

Brute force attacks on exposed infrastructure are very common, and exposed Amazon RDS instances are no exception. Many times databases can contain highly sensitive data, so they are an attractive target. Although database default account lockout policies should prevent many noisy password brute force attacks, it may not be as effective against a more careful attacker that uses multiple IP addresses and attempts a smaller number of common usernames and passwords over a longer duration. Aside from brute force attacks, exposed infrastructure are also open to denial of service (DoS) attacks. Ultimately it's best no to rely on a single layer of defense (application layer security) to protect sensitive data.

It's worth noting that although in this scenario an RDS endpoint was provided, that resolves to a dynamic RDS IP address from the EC2 address pool. We could just as well connect to the IP address in this lab.

platform mock(1)

Cloud Security Training To Protect Your Business

Pwned Labs for Business gives your team access to dedicated business content, including labs and cyber ranges.

We also offer in-person or remote workshops, and our cloud penetration services are helping businesses become more secure!