Skip to content

Latest commit

 

History

History
80 lines (53 loc) · 5.39 KB

aws-relational-database-rds-enum.md

File metadata and controls

80 lines (53 loc) · 5.39 KB

AWS - Relational Database (RDS) Enum

Support HackTricks and get benefits!

RDS

RDS allows you to set up a relational database using a number of different engines such as MySQL, Oracle, SQL Server, PostgreSQL, etc. During the creation of your RDS database instance, you have the opportunity to Enable Encryption at the Configure Advanced Settings screen under Database Options and Enable Encryption.

By enabling your encryption here, you are enabling encryption at rest for your storage, snapshots, read replicas and your back-ups. Keys to manage this encryption can be issued by using KMS. It's not possible to add this level of encryption after your database has been created. It has to be done during its creation.

However, there is a workaround allowing you to encrypt an unencrypted database as follows. You can create a snapshot of your unencrypted database, create an encrypted copy of that snapshot, use that encrypted snapshot to create a new database, and then, finally, your database would then be encrypted.

Amazon RDS sends data to CloudWatch every minute by default.

In addition to encryption offered by RDS itself at the application level, there are additional platform level encryption mechanisms that could be used for protecting data at rest including Oracle and SQL Server Transparent Data Encryption, known as TDE, and this could be used in conjunction with the method order discussed but it would impact the performance of the database MySQL cryptographic functions and Microsoft Transact-SQL cryptographic functions.

If you want to use the TDE method, then you must first ensure that the database is associated to an option group. Option groups provide default settings for your database and help with management which includes some security features. However, option groups only exist for the following database engines and versions.

Once the database is associated with an option group, you must ensure that the Oracle Transparent Data Encryption option is added to that group. Once this TDE option has been added to the option group, it cannot be removed. TDE can use two different encryption modes, firstly, TDE tablespace encryption which encrypts entire tables and, secondly, TDE column encryption which just encrypts individual elements of the database.

Enumeration

# Get DBs
aws rds describe-db-clusters
aws rds describe-db-cluster-endpoints
aws rds describe-db-instances
aws rds describe-db-security-groups

# Find automated backups
aws rds describe-db-instance-automated-backups

# Find snapshots
aws rds describe-db-snapshots 
aws rds describe-db-snapshots --include-public --snapshot-type public
## Restore snapshot as new instance
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <ID> --db-snapshot-identifier <ID> --availability-zone us-west-2a

# Proxies
aws rds describe-db-proxy-endpoints
aws rds describe-db-proxy-target-groups
aws rds describe-db-proxy-targets

## reset credentials of MasterUsername
aws rds modify-db-instance --db-instance-identifier <ID> --master-user-password <NewPassword> --apply-immediately

Privesc

{% content-ref url="../../aws-privilege-escalation/aws-rds-privesc.md" %} aws-rds-privesc.md {% endcontent-ref %}

SQL Injection

There are ways to access DynamoDB data with SQL syntax, therefore, typical SQL injections are also possible.

{% embed url="https://book.hacktricks.xyz/pentesting-web/sql-injection" %}

Support HackTricks and get benefits!