AWS GuardDuty & RDS, what are the features exactly?!


Hi, We're going through an Audit (It is my first year at this company) and I'm trying to find evidence, if we have any, that we monitor for data exfiltration attempts specifically (or other intrusion detection at the SQL level). I am having a hard time getting a straight answer as there's a guard duty blog post here that claims rds protection though I can't find any reference to this function in Guard Duty's user guide.

Perhaps if this is monitored through AWS Cloud Trail then Guard Duty doesn't list those separately? Guard Duty does claim to use Cloud Trail as a source but then doesn't list anything regarding that under finding types... I'd assume it would report the findings similarly but not sure on what or where?

Anyways, I'm sure I'm missing something obvious here but if I can get some general guidance on how to figure out what CloudTrail finding results look like or more specifically for RDS findings it would be greatly appreciated!

1 Answer


Hopefully I can provide some clarity on this for you! As per the blog post that you shared, Amazon GuardDuty does generate findings related to Amazon RDS. However, as you point out, RDS is not listed in the GuardDuty Finding types documentation.

This is because exfiltration-related RDS findings are created based on AWS CloudTrail management logs and fall under the Exfiltration:IAMUser/AnomalousBehavior finding type. Note that findings ending with /AnomalousBehavior are generated by GuardDuty's anomaly detection machine learning model, considering details like the requester, the location that the request originated from, and the specific API call that was made. I don't have an exhaustive list of all of the RDS API calls that could trigger this finding type, but from the documentation for this finding type:

"The API observed is commonly associated with exfiltration tactics where an adversary is trying to collect data from your network using packaging and encryption to avoid detection. APIs for this finding type are management (control-plane) operations only and are typically related to S3, snapshots, and databases, such as, PutBucketReplication, CreateSnapshot, or RestoreDBInstanceFromDBSnapshot."

When a finding like this is created, it will look very similar to the example in the blog post, except instead of the Discovery finding type, it will be Exfiltration. You'll have visibility into all of the request details, as well as the API calls that were determined to be anomalous.

To learn more about this, I'd recommend exploring the IAM finding types documentation - especially the findings ending in IAMUser/AnomalousBehavior. Also, if you need an example to share for your audit, you can generate sample findings by following these steps.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions