CMK Unencrypted Storage
- Query id: ffee2785-c347-451e-89f3-11aeb08e5c84
- Query name: CMK Unencrypted Storage
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- URL: Github
Description¶
Ensure that storage is encrypted.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation Sample
Parameters:
DBInstanceID:
Default: mydbinstance
Description: My database instance
Type: String
MinLength: '1'
MaxLength: '63'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: >-
Must begin with a letter and must not end with a hyphen or contain two
consecutive hyphens.
DBName:
Default: mydb
Description: My database
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: Must begin with a letter and contain only alphanumeric characters.
DBInstanceClass:
Default: db.m5.large
Description: DB instance class
Type: String
ConstraintDescription: Must select a valid DB instance type.
DBAllocatedStorage:
Default: '50'
Description: The size of the database (GiB)
Type: Number
MinValue: '5'
MaxValue: '1024'
ConstraintDescription: must be between 20 and 65536 GiB.
DBUsername:
NoEcho: 'true'
Description: Username for MySQL database access
Type: String
MinLength: '1'
MaxLength: '16'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: must begin with a letter and contain only alphanumeric characters.
DBPassword:
NoEcho: 'true'
Description: Password MySQL database access
Type: String
MinLength: '8'
MaxLength: '41'
AllowedPattern: '[a-zA-Z0-9]*'
ConstraintDescription: must contain only alphanumeric characters.
Resources:
MyDB:
Type: 'AWS::RDS::DBInstance'
Properties:
DBInstanceIdentifier: !Ref DBInstanceID
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
EngineVersion: 8.0.16
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
MonitoringInterval: '60'
MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role'
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation Sample Template
Parameters:
DBUsername:
NoEcho: "true"
Description: Username for MySQL database access
Type: String
MinLength: "1"
MaxLength: "16"
AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
ConstraintDescription: must begin with a letter and contain only alphanumeric characters.
DBPassword:
NoEcho: "true"
Description: Password MySQL database access
Type: String
MinLength: "8"
MaxLength: "41"
AllowedPattern: "[a-zA-Z0-9]*"
ConstraintDescription: must contain only alphanumeric characters.
Resources:
RDSCluster1:
Type: "AWS::RDS::DBCluster"
Properties:
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBClusterIdentifier: my-serverless-cluster
Engine: aurora
EngineVersion: 5.6.10a
EngineMode: serverless
ScalingConfiguration:
AutoPause: true
MinCapacity: 4
MaxCapacity: 32
SecondsUntilAutoPause: 1000
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation Sample Template AuroraServerlessDBCluster
Parameters:
DBUsername:
NoEcho: 'true'
Description: Username for MySQL database access
Type: String
MinLength: '1'
MaxLength: '16'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: must begin with a letter and contain only alphanumeric characters.
DBPassword:
NoEcho: 'true'
Description: Password MySQL database access
Type: String
MinLength: '8'
MaxLength: '41'
AllowedPattern: '[a-zA-Z0-9]*'
ConstraintDescription: must contain only alphanumeric characters.
Resources:
RDSCluster-2:
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBClusterIdentifier: my-serverless-cluster
Engine: aurora
EngineVersion: 5.6.10a
EngineMode: serverless
ScalingConfiguration:
AutoPause: true
MinCapacity: 4
MaxCapacity: 32
SecondsUntilAutoPause: 1000
StorageEncrypted: false
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "AWS CloudFormation Sample",
"Parameters": {
"DBAllocatedStorage": {
"Description": "The size of the database (GiB)",
"Type": "Number",
"MinValue": "5",
"MaxValue": "1024",
"ConstraintDescription": "must be between 20 and 65536 GiB.",
"Default": "50"
},
"DBUsername": {
"NoEcho": "true",
"Description": "Username for MySQL database access",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric characters."
},
"DBPassword": {
"NoEcho": "true",
"Description": "Password MySQL database access",
"Type": "String",
"MinLength": "8",
"MaxLength": "41",
"AllowedPattern": "[a-zA-Z0-9]*",
"ConstraintDescription": "must contain only alphanumeric characters."
},
"DBInstanceID": {
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens.",
"Default": "mydbinstance",
"Description": "My database instance",
"Type": "String",
"MinLength": "1",
"MaxLength": "63"
},
"DBName": {
"Description": "My database",
"Type": "String",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters.",
"Default": "mydb"
},
"DBInstanceClass": {
"Default": "db.m5.large",
"Description": "DB instance class",
"Type": "String",
"ConstraintDescription": "Must select a valid DB instance type."
}
},
"Resources": {
"MyDB": {
"Properties": {
"AllocatedStorage": "DBAllocatedStorage",
"MasterUserPassword": "DBPassword",
"MonitoringInterval": "60",
"DBInstanceIdentifier": "DBInstanceID",
"DBName": "DBName",
"DBInstanceClass": "DBInstanceClass",
"Engine": "MySQL",
"EngineVersion": "8.0.16",
"MasterUsername": "DBUsername",
"MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role"
},
"Type": "AWS::RDS::DBInstance"
}
}
}
Positive test num. 5 - json file
{
"Parameters": {
"DBUsername": {
"NoEcho": "true",
"Description": "Username for MySQL database access",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric characters."
},
"DBPassword": {
"Type": "String",
"MinLength": "8",
"MaxLength": "41",
"AllowedPattern": "[a-zA-Z0-9]*",
"ConstraintDescription": "must contain only alphanumeric characters.",
"NoEcho": "true",
"Description": "Password MySQL database access"
}
},
"Resources": {
"RDSCluster1": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"DBClusterIdentifier": "my-serverless-cluster",
"Engine": "aurora",
"EngineVersion": "5.6.10a",
"EngineMode": "serverless",
"ScalingConfiguration": {
"AutoPause": true,
"MinCapacity": 4,
"MaxCapacity": 32,
"SecondsUntilAutoPause": 1000
},
"MasterUsername": "DBUsername",
"MasterUserPassword": "DBPassword"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "AWS CloudFormation Sample Template"
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "AWS CloudFormation Sample Template AuroraServerlessDBCluster",
"Parameters": {
"DBUsername": {
"MaxLength": "16",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.",
"NoEcho": "true",
"Description": "Username for MySQL database access",
"Type": "String",
"MinLength": "1"
},
"DBPassword": {
"AllowedPattern": "[a-zA-Z0-9]*",
"ConstraintDescription": "must contain only alphanumeric characters.",
"NoEcho": "true",
"Description": "Password MySQL database access",
"Type": "String",
"MinLength": "8",
"MaxLength": "41"
}
},
"Resources": {
"RDSCluster-2": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"Engine": "aurora",
"EngineVersion": "5.6.10a",
"EngineMode": "serverless",
"ScalingConfiguration": {
"AutoPause": true,
"MinCapacity": 4,
"MaxCapacity": 32,
"SecondsUntilAutoPause": 1000
},
"StorageEncrypted": false,
"MasterUsername": "DBUsername",
"MasterUserPassword": "DBPassword",
"DBClusterIdentifier": "my-serverless-cluster"
}
}
}
}
Positive test num. 7 - yaml file
Positive test num. 8 - json file
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyKey:
Type: "AWS::KMS::Key"
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ""
- - "arn:aws:iam::"
- !Ref "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
MyDBSmall:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: !Ref DBInstanceType
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
KmsKeyId: !Ref MyKey
StorageEncrypted: true
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation Sample Template
Parameters:
DBUsername:
NoEcho: 'true'
Description: Username for MySQL database access
Type: String
MinLength: '1'
MaxLength: '16'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: must begin with a letter and contain only alphanumeric characters.
DBPassword:
NoEcho: 'true'
Description: Password MySQL database access
Type: String
MinLength: '8'
MaxLength: '41'
AllowedPattern: '[a-zA-Z0-9]*'
ConstraintDescription: must contain only alphanumeric characters.
Resources:
MyKey-0:
Type: "AWS::KMS::Key"
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ""
- - "arn:aws:iam::"
- !Ref "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
RDSCluster:
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBClusterIdentifier: my-serverless-cluster
Engine: aurora
EngineVersion: 5.6.10a
EngineMode: serverless
ScalingConfiguration:
AutoPause: true
MinCapacity: 4
MaxCapacity: 32
SecondsUntilAutoPause: 1000
KmsKeyId: !Ref MyKey-0
StorageEncrypted: true
Negative test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "RDS Storage Encrypted",
"Parameters": {
"SourceDBInstanceIdentifier": {
"Type": "String"
},
"DBInstanceType": {
"Type": "String"
},
"SourceRegion": {
"Type": "String"
}
},
"Resources": {
"MyKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Version": "2012-10-17T00:00:00Z",
"Id": "key-default-1",
"Statement": [
{
"Principal": {
"AWS": [
"",
[
"arn:aws:iam::",
"AWS::AccountId",
":root"
]
]
},
"Action": "kms:*",
"Resource": "*",
"Sid": "Enable IAM User Permissions",
"Effect": "Allow"
}
]
}
}
},
"MyDBSmall": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"SourceRegion": "SourceRegion",
"KmsKeyId": "MyKey",
"StorageEncrypted": true,
"DBInstanceClass": "DBInstanceType",
"SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier"
}
}
}
}
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "AWS CloudFormation Sample Template",
"Parameters": {
"DBUsername": {
"MaxLength": "16",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.",
"NoEcho": "true",
"Description": "Username for MySQL database access",
"Type": "String",
"MinLength": "1"
},
"DBPassword": {
"Type": "String",
"MinLength": "8",
"MaxLength": "41",
"AllowedPattern": "[a-zA-Z0-9]*",
"ConstraintDescription": "must contain only alphanumeric characters.",
"NoEcho": "true",
"Description": "Password MySQL database access"
}
},
"Resources": {
"MyKey-0": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Version": "2012-10-17T00:00:00Z",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": ["", ["arn:aws:iam::", "AWS::AccountId", ":root"]]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"RDSCluster": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"StorageEncrypted": true,
"MasterUsername": "DBUsername",
"DBClusterIdentifier": "my-serverless-cluster",
"ScalingConfiguration": {
"MinCapacity": 4,
"MaxCapacity": 32,
"SecondsUntilAutoPause": 1000,
"AutoPause": true
},
"EngineMode": "serverless",
"KmsKeyId": "MyKey-0",
"MasterUserPassword": "DBPassword",
"Engine": "aurora",
"EngineVersion": "5.6.10a"
}
}
}
}