Links

AWS - Relational Database (RDS) Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Basic Information

The Relational Database Service (RDS) offered by AWS is designed to streamline the deployment, operation, and scaling of a relational database in the cloud. This service offers the advantages of cost efficiency and scalability while automating labor-intensive tasks like hardware provisioning, database configuration, patching, and backups.
AWS RDS supports various widely-used relational database engines including MySQL, PostgreSQL, MariaDB, Oracle Database, Microsoft SQL Server, and Amazon Aurora, with compatibility for both MySQL and PostgreSQL.
Key features of RDS include:
  • Management of database instances is simplified.
  • Creation of read replicas to enhance read performance.
  • Configuration of multi-Availability Zone (AZ) deployments to ensure high availability and failover mechanisms.
  • Integration with other AWS services, such as:
    • AWS Identity and Access Management (IAM) for robust access control.
    • AWS CloudWatch for comprehensive monitoring and metrics.
    • AWS Key Management Service (KMS) for ensuring encryption at rest.

Credentials

When creating the DB cluster the master username can be configured (admin by default). To generate the password of this user you can:
  • Indicate a password yourself
  • Tell RDS to auto generate it
  • Tell RDS to manage it in AWS Secret Manager encrypted with a KMS key

Authentication

There are 3 types of authentication options, but using the master password is always allowed:

Public Access & VPC

By default no public access is granted to the databases, however it could be granted. Therefore, by default only machines from the same VPC will be able to access it if the selected security group (are stored in EC2 SG)allows it.
Instead of exposing a DB instance, it’s possible to create a RDS Proxy which improves the scalability & availability of the DB cluster.
Moreover, the database port can be modified also.

Encryption

Encryption is enabled by default using a AWS managed key (a CMK could be chosen instead).
By enabling your encryption, you are enabling encryption at rest for your storage, snapshots, read replicas and your back-ups. Keys to manage this encryption can be issued by using KMS. It's not possible to add this level of encryption after your database has been created. It has to be done during its creation.
However, there is a workaround allowing you to encrypt an unencrypted database as follows. You can create a snapshot of your unencrypted database, create an encrypted copy of that snapshot, use that encrypted snapshot to create a new database, and then, finally, your database would then be encrypted.

Transparent Data Encryption (TDE)

Alongside the encryption capabilities inherent to RDS at the application level, RDS also supports additional platform-level encryption mechanisms to safeguard data at rest. This includes Transparent Data Encryption (TDE) for Oracle and SQL Server. However, it's crucial to note that while TDE enhances security by encrypting data at rest, it may also affect database performance. This performance impact is especially noticeable when used in conjunction with MySQL cryptographic functions or Microsoft Transact-SQL cryptographic functions.
To utilize TDE, certain preliminary steps are required:
  1. 1.
    Option Group Association:
    • The database must be associated with an option group. Option groups serve as containers for settings and features, facilitating database management, including security enhancements.
    • However, it's important to note that option groups are only available for specific database engines and versions.
  2. 2.
    Inclusion of TDE in Option Group:
    • Once associated with an option group, the Oracle Transparent Data Encryption option needs to be included in that group.
    • It's essential to recognize that once the TDE option is added to an option group, it becomes a permanent fixture and cannot be removed.
  3. 3.
    TDE Encryption Modes:
    • TDE offers two distinct encryption modes:
      • TDE Tablespace Encryption: This mode encrypts entire tables, providing a broader scope of data protection.
      • TDE Column Encryption: This mode focuses on encrypting specific, individual elements within the database, allowing for more granular control over what data is encrypted.
Understanding these prerequisites and the operational intricacies of TDE is crucial for effectively implementing and managing encryption within RDS, ensuring both data security and compliance with necessary standards.

Enumeration

# Clusters info
## Get Endpoints, username, port, iam auth enabled, attached roles, SG
aws rds describe-db-clusters
aws rds describe-db-cluster-endpoints #Cluster URLs
aws rds describe-db-cluster-backtracks --db-cluster-identifier <cluster-name>
## Cluster snapshots
aws rds describe-db-cluster-snapshots
# Get DB instances info
aws rds describe-db-instances #username, url, port, vpc, SG, is public?
aws rds describe-db-security-groups
## Find automated backups
aws rds describe-db-instance-automated-backups
## Find snapshots
aws rds describe-db-snapshots
aws rds describe-db-snapshots --include-public --snapshot-type public
## Restore snapshot as new instance
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <ID> --db-snapshot-identifier <ID> --availability-zone us-west-2a
# Any public snapshot in the account
aws rds describe-db-snapshots --snapshot-type public
# Proxies
aws rds describe-db-proxy-endpoints
aws rds describe-db-proxy-target-groups
aws rds describe-db-proxy-targets
## reset credentials of MasterUsername
aws rds modify-db-instance --db-instance-identifier <ID> --master-user-password <NewPassword> --apply-immediately

Unauthenticated Access

Privesc

Post Exploitation

Persistence

SQL Injection

There are ways to access DynamoDB data with SQL syntax, therefore, typical SQL injections are also possible.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: