Hardware or array disk storage in data center showing Amazon RDS leak PII

Amazon RDS Snapshots Leaking Troves of Personal Identifiable Information (PII)

Mitiga security researchers discovered that Amazon relational database service (Amazon RDS) snapshots were inadvertently leaking clients’ extensive personal identifiable information (PII).

Amazon RDS is a platform-as-a-service (PaaS) infrastructure that allows users to set up, manage, and scale optional engines such as MySQL/MariaDB, SQL Server, Oracle, and PostgreSQL on cloud services.

Database snapshots allow a user to share public data and backup the entire DB instance instead of individual databases. They allow owners to share the database with other users and applications by briefly making it public without worrying about managing roles and policies.

However, publicly sharing snapshots even briefly could allow threat actors to extract sensitive data for millions of users as the researchers discovered.

Threat actors could exploit briefly exposed Amazon RDS snapshots

The brief exposure of Amazon snapshots could allow threat actors to access the database and extract PII without the owners’ knowledge. And some Amazon RDS snapshots were publicly visible for extended periods, ranging from hours, days, and even weeks, either deliberately or by mistake.

Between September 21 and October 20, Mitiga researchers detected 2,783 snapshots, with 810 snapshots (29%) exposed during the whole period. However, two-thirds (1,859) were exposed for just a day or two. Nevertheless, the researchers suggested that Amazon RDS snapshots exposed briefly, more likely than others, “contain data that should not be available, even for a short time, to the public.”

According to the researchers, exposed Amazon RDS snapshots were invaluable to threat actors either during the reconnaissance phase of the cyber kill chain or extortionware/ ransomware campaigns. Unfortunately, neither Mitiga nor database owners could determine if attackers had accessed public RDS snapshots and extracted PII.

“We were surprised to find out there is no log event on copying public snapshots to another account or restoring a DB instance from another account, in the snapshot’s owner account,” the researchers lamented.

Amazon Web Services notifies users via email after sharing a snapshot to ensure that it was intended to be shared publicly. Unfortunately, account owners either overlooked the email notifications or discovered them too late when threat actors had already accessed the snapshot.

Amazon also has a feature that assists account owners on how to optimize costs, performance, and security. The ‘AWS Trusted Advisor’ feature displays an “actions recommended” widget warning the user about publicly accessible Amazon RDS snapshots. However, account operators usually fail to immediately notice alerts or ignored them altogether.

“While cloud storage is convenient, it can also be a bit tricky for people who are not familiar with it to secure,” said Erich Kron, security awareness advocate at KnowBe4, “The ability to do snapshots and share them, while very convenient, it’s something that can easily lead to issues that leave information exposed.”

According to Kron, on-premises misconfiguration, while serious, had little likelihood of millions of records, unlike cloud services.

“For organizations that store or process data within the cloud, processes should be in place to ensure that data remains protected even after making changes.”

He also recommended having a second person confirm permissions on data. Although inconvenient, the practice could “potentially save a lot of labor and the potential for fines, especially in heavily regulated industries.”

Extracting PII from exposed Amazon RDS snapshots

Mitiga researchers replicated the steps that threat actors would take to exploit exposed Amazon RDS snapshots and extract PII.

They developed an AWS-native technique, using AWS Lambda Step Function and boto3, to scan, clone, and extract potentially sensitive information from RDS snapshots in scale.

PII leaked include email addresses, phone numbers, birth dates, and personal image links. Other information exposed included password hashes, private messages, and transactional information for applications ranging from a car rental system to a dating app.

While Amazon does not include the company’s name in the snapshot’s id, creators included obvious hints such as abbreviations that would allow threat actors to match exposed databases to their organizations.

Detection and mitigation of exposed Amazon RDS snapshots

To avoid leaking PII, users are advised to encrypt snapshots with KMS keys, thus making them impossible to publicly share. Additionally, they should manage permissions by implementing the “least privilege” strategy.

Other recommendations include checking the AWS config and adding an rds-snapshots-public-prohibited rule to flag non-compliance when a snapshot is publicly shared.

Researchers discovered thousands of #AmazonRDS snapshots shared publicly either accidentally or deliberately that were inadvertently leaking clients’ #PII. #cybersecurity #respectdataClick to Tweet

Account owners should also regularly check their snapshots by listing them using the aws rds describe-db-snapshots command and displaying their attributes using the aws rds describe-db-snapshot-attributes command. Any snapshot whose AttributeValues field is set to ‘all’ is publicly visible.