RDS DB Instance Publicly Accessible

• Query id: 647de8aa-5a42-41b5-9faf-22136f117380
• Query name: RDS DB Instance Publicly Accessible
• Platform: Pulumi
• Severity: High
• Category: Insecure Configurations
• URL: Github

Description

RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file

name: aws-rds
runtime: yaml
description: An RDS Instance
resources:
  default:
    type: aws:rds:Instance
    properties:
      allocatedStorage: 10
      dbName: mydb
      engine: mysql
      engineVersion: '5.7'
      instanceClass: db.t3.micro
      parameterGroupName: default.mysql5.7
      password: foobarbaz
      skipFinalSnapshot: true
      username: foo
      publiclyAccessible: true

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

name: aws-rds
runtime: yaml
description: An RDS cluster
resources:
  default:
    type: aws:rds:Instance
    properties:
      allocatedStorage: 10
      dbName: mydb
      engine: mysql
      engineVersion: '5.7'
      instanceClass: db.t3.micro
      parameterGroupName: default.mysql5.7
      password: foobarbaz
      skipFinalSnapshot: true
      username: foo

Negative test num. 2 - yaml file

name: aws-rds
runtime: yaml
description: An RDS Instance
resources:
  default:
    type: aws:rds:Instance
    properties:
      allocatedStorage: 10
      dbName: mydb
      engine: mysql
      engineVersion: '5.7'
      instanceClass: db.t3.micro
      parameterGroupName: default.mysql5.7
      password: foobarbaz
      skipFinalSnapshot: true
      username: foo
      publiclyAccessible: false