Thousands of databases hosted on AWS RDS have been found to be leaking PII data providing a potential treasure trove for threat actors.
The exposure comes through a snapshot feature in Amazon RDS that is used to back up the hosted databases. The feature allows users to share public data or a template database with an application, including creating a Public RDS snapshot for sharing without having to deal with roles and policies.
The snapshots can often sit exposed for anywhere between minutes to even days and weeks, full of PII that is desirable to threat actors.
Researchers developed an AWS-native technique using AWS Lambda Step Function and boto3 — the software development kit for the programming language Python — to scan, clone and extract sensitive information from RDS snapshots at large scale.
The researchers over the month observed 2,783 RDS snapshots, of which 810 were exposed publicly throughout the entire month. Additionally, 1,859 snapshots of the 2,783 were exposed for one to two days, enough time for an attacker to obtain them easily.
Information in the exposed snapshots included addresses, passwords, credit card details, tokens, phone numbers, passport numbers.
The researchers noted that AWS not only makes RDS users aware of publicly exposed snapshots but also provides tools such as AWS Trusted Advisor that detects security issues and recommends steps to remediate them.
The researchers note that AWS enables users to encrypt a snapshot with a shared KMS key, fir mitigating the issue.