A MySQL RDS instance was deleted from our account a couple of days ago. We can tell when the instance was deleted from the logs of a web app that uses the database, as well as from the timestamp on a snapshot of the instance that was created before it was deleted.
The only events in the CloudTrail log at the time were KMS RetireGrant events. There was no user name associated with the events. The RetireGrants appear to have revoked grants that were created in 2012.
I've included the JSON of one of the grants that was retired, below. There were 4, altogether.
We didn't lose any data, because the system created a snapshot before it deleted the instance. But I want to understand what happened, and what I can do to make sure it doesn't happen again.
Is it possible the instance was deleted because it was running an old version of MySQL, and we missed update notices?
{
"Version": "2012-10-17",
"Id": "auto-rds-2",
"Statement": [
{
"Sid": "Allow access through RDS for all principals in the account that are authorized to use RDS",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:ListGrants",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "rds.us-east-1.amazonaws.com",
"kms:CallerAccount": "xxxxx"
}
}
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxx:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:RevokeGrant"
],
"Resource": "*"
}
]
}