gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 13:43:24 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
5ef56bb6b38468e009a1ce34747dd626ea22acb7
hacktricks-cloud/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md
Carlos Polop 5ef56bb6b3 Recreating repository history for branch master
2024-12-12 19:35:48 +01:00

169 lines
9.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# AWS - Relational Database (RDS) Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
The **Relational Database Service (RDS)** offered by AWS is designed to streamline the deployment, operation, and scaling of a **relational database in the cloud**. This service offers the advantages of cost efficiency and scalability while automating labor-intensive tasks like hardware provisioning, database configuration, patching, and backups.
AWS RDS supports various widely-used relational database engines including MySQL, PostgreSQL, MariaDB, Oracle Database, Microsoft SQL Server, and Amazon Aurora, with compatibility for both MySQL and PostgreSQL.
Key features of RDS include:
* **Management of database instances** is simplified.
* Creation of **read replicas** to enhance read performance.
* Configuration of **multi-Availability Zone (AZ) deployments** to ensure high availability and failover mechanisms.
* **Integration** with other AWS services, such as:
* AWS Identity and Access Management (**IAM**) for robust access control.
* AWS **CloudWatch** for comprehensive monitoring and metrics.
* AWS Key Management Service (**KMS**) for ensuring encryption at rest.
## Credentials
When creating the DB cluster the master **username** can be configured (**`admin`** by default). To generate the password of this user you can:
* **Indicate** a **password** yourself
* Tell RDS to **auto generate** it
* Tell RDS to manage it in **AWS Secret Manager** encrypted with a KMS key
<figure><img src="../../../.gitbook/assets/image (144).png" alt=""><figcaption></figcaption></figure>
### Authentication
There are 3 types of authentication options, but using the **master password is always allowed**:
<figure><img src="../../../.gitbook/assets/image (227).png" alt=""><figcaption></figcaption></figure>
### Public Access & VPC
By default **no public access is granted** to the databases, however it **could be granted**. Therefore, by default only machines from the same VPC will be able to access it if the selected **security group** (are stored in EC2 SG)allows it.
Instead of exposing a DB instance, its possible to create a **RDS Proxy** which **improves** the **scalability** & **availability** of the DB cluster.
Moreover, the **database port can be modified** also.
### Encryption
**Encryption is enabled by default** using a AWS managed key (a CMK could be chosen instead).
By enabling your encryption, you are enabling **encryption at rest for your storage, snapshots, read replicas and your back-ups**. Keys to manage this encryption can be issued by using **KMS**.\
It's not possible to add this level of encryption after your database has been created. **It has to be done during its creation**.
However, there is a **workaround allowing you to encrypt an unencrypted database as follows**. You can create a snapshot of your unencrypted database, create an encrypted copy of that snapshot, use that encrypted snapshot to create a new database, and then, finally, your database would then be encrypted.
#### Transparent Data Encryption (TDE)
Alongside the encryption capabilities inherent to RDS at the application level, RDS also supports **additional platform-level encryption mechanisms** to safeguard data at rest. This includes **Transparent Data Encryption (TDE)** for Oracle and SQL Server. However, it's crucial to note that while TDE enhances security by encrypting data at rest, it may also **affect database performance**. This performance impact is especially noticeable when used in conjunction with MySQL cryptographic functions or Microsoft Transact-SQL cryptographic functions.
To utilize TDE, certain preliminary steps are required:
1. **Option Group Association**:
* The database must be associated with an option group. Option groups serve as containers for settings and features, facilitating database management, including security enhancements.
* However, it's important to note that option groups are only available for specific database engines and versions.
2. **Inclusion of TDE in Option Group**:
* Once associated with an option group, the Oracle Transparent Data Encryption option needs to be included in that group.
* It's essential to recognize that once the TDE option is added to an option group, it becomes a permanent fixture and cannot be removed.
3. **TDE Encryption Modes**:
* TDE offers two distinct encryption modes:
* **TDE Tablespace Encryption**: This mode encrypts entire tables, providing a broader scope of data protection.
* **TDE Column Encryption**: This mode focuses on encrypting specific, individual elements within the database, allowing for more granular control over what data is encrypted.
Understanding these prerequisites and the operational intricacies of TDE is crucial for effectively implementing and managing encryption within RDS, ensuring both data security and compliance with necessary standards.
### Enumeration
{% code overflow="wrap" %}
```bash
# Clusters info
## Get Endpoints, username, port, iam auth enabled, attached roles, SG
aws rds describe-db-clusters
aws rds describe-db-cluster-endpoints #Cluster URLs
aws rds describe-db-cluster-backtracks --db-cluster-identifier <cluster-name>
## Cluster snapshots
aws rds describe-db-cluster-snapshots
# Get DB instances info
aws rds describe-db-instances #username, url, port, vpc, SG, is public?
aws rds describe-db-security-groups
## Find automated backups
aws rds describe-db-instance-automated-backups
## Find snapshots
aws rds describe-db-snapshots
aws rds describe-db-snapshots --include-public --snapshot-type public
## Restore snapshot as new instance
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <ID> --db-snapshot-identifier <ID> --availability-zone us-west-2a
# Any public snapshot in the account
aws rds describe-db-snapshots --snapshot-type public
# Proxies
aws rds describe-db-proxy-endpoints
aws rds describe-db-proxy-target-groups
aws rds describe-db-proxy-targets
## reset credentials of MasterUsername
aws rds modify-db-instance --db-instance-identifier <ID> --master-user-password <NewPassword> --apply-immediately
```
{% endcode %}
### Unauthenticated Access
{% content-ref url="../aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md" %}
[aws-rds-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md)
{% endcontent-ref %}
### Privesc
{% content-ref url="../aws-privilege-escalation/aws-rds-privesc.md" %}
[aws-rds-privesc.md](../aws-privilege-escalation/aws-rds-privesc.md)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../aws-post-exploitation/aws-rds-post-exploitation.md" %}
[aws-rds-post-exploitation.md](../aws-post-exploitation/aws-rds-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../aws-persistence/aws-rds-persistence.md" %}
[aws-rds-persistence.md](../aws-persistence/aws-rds-persistence.md)
{% endcontent-ref %}
### SQL Injection
There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
{% embed url="https://book.hacktricks.xyz/pentesting-web/sql-injection" %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in New Issue View Git Blame Copy Permalink