mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-07-10 06:02:47 -07:00
Migrate to using mdbook
This commit is contained in:
@@ -0,0 +1,142 @@
|
||||
# AWS - Relational Database (RDS) Enum
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Basic Information
|
||||
|
||||
The **Relational Database Service (RDS)** offered by AWS is designed to streamline the deployment, operation, and scaling of a **relational database in the cloud**. This service offers the advantages of cost efficiency and scalability while automating labor-intensive tasks like hardware provisioning, database configuration, patching, and backups.
|
||||
|
||||
AWS RDS supports various widely-used relational database engines including MySQL, PostgreSQL, MariaDB, Oracle Database, Microsoft SQL Server, and Amazon Aurora, with compatibility for both MySQL and PostgreSQL.
|
||||
|
||||
Key features of RDS include:
|
||||
|
||||
- **Management of database instances** is simplified.
|
||||
- Creation of **read replicas** to enhance read performance.
|
||||
- Configuration of **multi-Availability Zone (AZ) deployments** to ensure high availability and failover mechanisms.
|
||||
- **Integration** with other AWS services, such as:
|
||||
- AWS Identity and Access Management (**IAM**) for robust access control.
|
||||
- AWS **CloudWatch** for comprehensive monitoring and metrics.
|
||||
- AWS Key Management Service (**KMS**) for ensuring encryption at rest.
|
||||
|
||||
## Credentials
|
||||
|
||||
When creating the DB cluster the master **username** can be configured (**`admin`** by default). To generate the password of this user you can:
|
||||
|
||||
- **Indicate** a **password** yourself
|
||||
- Tell RDS to **auto generate** it
|
||||
- Tell RDS to manage it in **AWS Secret Manager** encrypted with a KMS key
|
||||
|
||||
<figure><img src="../../../images/image (144).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### Authentication
|
||||
|
||||
There are 3 types of authentication options, but using the **master password is always allowed**:
|
||||
|
||||
<figure><img src="../../../images/image (227).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### Public Access & VPC
|
||||
|
||||
By default **no public access is granted** to the databases, however it **could be granted**. Therefore, by default only machines from the same VPC will be able to access it if the selected **security group** (are stored in EC2 SG)allows it.
|
||||
|
||||
Instead of exposing a DB instance, it’s possible to create a **RDS Proxy** which **improves** the **scalability** & **availability** of the DB cluster.
|
||||
|
||||
Moreover, the **database port can be modified** also.
|
||||
|
||||
### Encryption
|
||||
|
||||
**Encryption is enabled by default** using a AWS managed key (a CMK could be chosen instead).
|
||||
|
||||
By enabling your encryption, you are enabling **encryption at rest for your storage, snapshots, read replicas and your back-ups**. Keys to manage this encryption can be issued by using **KMS**.\
|
||||
It's not possible to add this level of encryption after your database has been created. **It has to be done during its creation**.
|
||||
|
||||
However, there is a **workaround allowing you to encrypt an unencrypted database as follows**. You can create a snapshot of your unencrypted database, create an encrypted copy of that snapshot, use that encrypted snapshot to create a new database, and then, finally, your database would then be encrypted.
|
||||
|
||||
#### Transparent Data Encryption (TDE)
|
||||
|
||||
Alongside the encryption capabilities inherent to RDS at the application level, RDS also supports **additional platform-level encryption mechanisms** to safeguard data at rest. This includes **Transparent Data Encryption (TDE)** for Oracle and SQL Server. However, it's crucial to note that while TDE enhances security by encrypting data at rest, it may also **affect database performance**. This performance impact is especially noticeable when used in conjunction with MySQL cryptographic functions or Microsoft Transact-SQL cryptographic functions.
|
||||
|
||||
To utilize TDE, certain preliminary steps are required:
|
||||
|
||||
1. **Option Group Association**:
|
||||
- The database must be associated with an option group. Option groups serve as containers for settings and features, facilitating database management, including security enhancements.
|
||||
- However, it's important to note that option groups are only available for specific database engines and versions.
|
||||
2. **Inclusion of TDE in Option Group**:
|
||||
- Once associated with an option group, the Oracle Transparent Data Encryption option needs to be included in that group.
|
||||
- It's essential to recognize that once the TDE option is added to an option group, it becomes a permanent fixture and cannot be removed.
|
||||
3. **TDE Encryption Modes**:
|
||||
- TDE offers two distinct encryption modes:
|
||||
- **TDE Tablespace Encryption**: This mode encrypts entire tables, providing a broader scope of data protection.
|
||||
- **TDE Column Encryption**: This mode focuses on encrypting specific, individual elements within the database, allowing for more granular control over what data is encrypted.
|
||||
|
||||
Understanding these prerequisites and the operational intricacies of TDE is crucial for effectively implementing and managing encryption within RDS, ensuring both data security and compliance with necessary standards.
|
||||
|
||||
### Enumeration
|
||||
|
||||
```bash
|
||||
# Clusters info
|
||||
## Get Endpoints, username, port, iam auth enabled, attached roles, SG
|
||||
aws rds describe-db-clusters
|
||||
aws rds describe-db-cluster-endpoints #Cluster URLs
|
||||
aws rds describe-db-cluster-backtracks --db-cluster-identifier <cluster-name>
|
||||
|
||||
## Cluster snapshots
|
||||
aws rds describe-db-cluster-snapshots
|
||||
|
||||
# Get DB instances info
|
||||
aws rds describe-db-instances #username, url, port, vpc, SG, is public?
|
||||
aws rds describe-db-security-groups
|
||||
|
||||
## Find automated backups
|
||||
aws rds describe-db-instance-automated-backups
|
||||
|
||||
## Find snapshots
|
||||
aws rds describe-db-snapshots
|
||||
aws rds describe-db-snapshots --include-public --snapshot-type public
|
||||
## Restore snapshot as new instance
|
||||
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <ID> --db-snapshot-identifier <ID> --availability-zone us-west-2a
|
||||
|
||||
# Any public snapshot in the account
|
||||
aws rds describe-db-snapshots --snapshot-type public
|
||||
|
||||
# Proxies
|
||||
aws rds describe-db-proxy-endpoints
|
||||
aws rds describe-db-proxy-target-groups
|
||||
aws rds describe-db-proxy-targets
|
||||
|
||||
## reset credentials of MasterUsername
|
||||
aws rds modify-db-instance --db-instance-identifier <ID> --master-user-password <NewPassword> --apply-immediately
|
||||
```
|
||||
|
||||
### Unauthenticated Access
|
||||
|
||||
{{#ref}}
|
||||
../aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md
|
||||
{{#endref}}
|
||||
|
||||
### Privesc
|
||||
|
||||
{{#ref}}
|
||||
../aws-privilege-escalation/aws-rds-privesc.md
|
||||
{{#endref}}
|
||||
|
||||
### Post Exploitation
|
||||
|
||||
{{#ref}}
|
||||
../aws-post-exploitation/aws-rds-post-exploitation.md
|
||||
{{#endref}}
|
||||
|
||||
### Persistence
|
||||
|
||||
{{#ref}}
|
||||
../aws-persistence/aws-rds-persistence.md
|
||||
{{#endref}}
|
||||
|
||||
### SQL Injection
|
||||
|
||||
There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/sql-injection
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
Reference in New Issue
Block a user