RDS DB Instance Publicly Accessible

  • Query id: d9dc6429-5140-498a-8f55-a10daac5f000
  • Query name: RDS DB Instance Publicly Accessible
  • Platform: Crossplane
  • Severity: High
  • Category: Insecure Configurations
  • URL: Github

Description

RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
  name: sample-cluster3
spec: 
  forProvider:
    publiclyAccessible: true

---

apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
  name: my-db-subnet-group
spec:
  forProvider:
    description: "My DB Subnet Group"
    subnetIds:
      - subnet-12345678
      - subnet-87654321
Positive test num. 2 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
  name: my-rds-instance
spec:
  forProvider:
    engine: mysql
    engineVersion: "8.0"
    instanceClass: db.t2.micro
    allocatedStorage: 20
    dbSubnetGroupName: my-db-subnet-group
  writeConnectionSecretToRef:
    name: my-rds-instance-connection

---

apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
  name: my-db-subnet-group
spec:
  forProvider:
    description: "My DB Subnet Group"
    subnetIds:
      - subnet-12345678
      - subnet-87654321

---

apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: subnet-12345678
spec:
  forProvider:
    cidrBlock: "10.0.0.0/24"
    vpcId: vpc-abcdef12
    availabilityZone: us-west-2a

---

apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: subnet-87654321
spec:
  forProvider:
    cidrBlock: "10.0.0.1/24"
    vpcId: vpc-abcdef12
    availabilityZone: us-west-2a

---

apiVersion: network.aws.crossplane.io/v1alpha3
kind: InternetGateway
metadata:
  name: my-internet-gateway
spec:
  forProvider:
    vpcId: vpc-abcdef12

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
  name: sample-cluster3
spec: 
  forProvider:
    publiclyAccessible: false

---

apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
  name: my-db-subnet-group
spec:
  forProvider:
    description: "My DB Subnet Group"
    subnetIds:
      - subnet-12345678
      - subnet-87654321
Negative test num. 2 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
  name: my-rds-instance
spec:
  forProvider:
    engine: mysql
    engineVersion: "8.0"
    instanceClass: db.t2.micro
    allocatedStorage: 20
    dbSubnetGroupName: my-db-subnet-group
  writeConnectionSecretToRef:
    name: my-rds-instance-connection

---

apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
  name: my-db-subnet-group
spec:
  forProvider:
    description: "My DB Subnet Group"
    subnetIds:
      - subnet-12345678
      - subnet-87654321

---

apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: subnet-12345678
spec:
  forProvider:
    cidrBlock: "10.0.0.0/24"
    vpcId: vpc-abcdef12
    availabilityZone: us-west-2a

---

apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: subnet-87654321
spec:
  forProvider:
    cidrBlock: "10.0.0.1/24"
    vpcId: vpc-abcdef12
    availabilityZone: us-west-2a

---

apiVersion: network.aws.crossplane.io/v1alpha3
kind: InternetGateway
metadata:
  name: my-internet-gateway
spec:
  forProvider:
    vpcId: vpc-abcdef12345