Query Details

AWS Cloud Trail Aws Credential Access Rds Password Reset

Query

AWSCloudTrail
| where EventName == "ModifyDBInstance" and RequestParameters has_any ("manageMasterUserPassword", "masterUserPassword", "masterUserSecretKmsKeyId", "rotateMasterUserPassword", "tdeCredentialPassword")
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events related to the modification of database instances. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the AWSCloudTrail data, which contains logs of AWS API calls.

  2. Filter Criteria: The query filters the logs to find events where the EventName is "ModifyDBInstance". This means it is specifically interested in actions that modify database instances.

  3. Password-Related Changes: It further narrows down the results to only include events where the request parameters involve changes to the database's master user password or related security settings. This is done using the has_any function to check for specific keywords like "manageMasterUserPassword", "masterUserPassword", "masterUserSecretKmsKeyId", "rotateMasterUserPassword", and "tdeCredentialPassword".

  4. Role Information: The query uses invoke AWSIdentityRole() to enrich the data with information about the AWS identity role associated with the event.

  5. Data Projection: Finally, it selects a wide range of fields to display in the results, including details about the event's timing, the user identity, account information, AWS region, source IP address, event type, request parameters, and more.

In summary, this query is used to track and analyze specific modifications to AWS database instances, particularly focusing on changes related to the master user password, and provides detailed information about these events for further investigation or auditing purposes.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail

Operators

where==andhas_anyinvokeproject

Actions

GitHub