DB Instance Storage Not Encrypted

  • Query id: e50eb68a-a4af-4048-8bbe-8ec324421469
  • Query name: DB Instance Storage Not Encrypted
  • Platform: Crossplane
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
  name: rds3
spec:
  forProvider:
    allocatedStorage: 50
    applyModificationsImmediately: false
    backupRetentionPeriod: 0
    caCertificateIdentifier: rds-ca-2019
    copyTagsToSnapshot: false
    dbInstanceClass: db.t3.medium
    deletionProtection: false
    enableIAMDatabaseAuthentication: false
    enablePerformanceInsights: false
    engine: mysql
    region: us-west-2
    engineVersion: 5.7.33
    licenseModel: general-public-license
    publiclyAccessible: false
    storageEncrypted: false
    storageType: gp2
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: database.aws.crossplane.io/v1beta1
        kind: RDSInstance
        metadata:
          name: rds4
        spec:
          forProvider:
            allocatedStorage: 50
            applyModificationsImmediately: false
            backupRetentionPeriod: 0
            caCertificateIdentifier: rds-ca-2019
            copyTagsToSnapshot: false
            dbInstanceClass: db.t3.medium
            deletionProtection: false
            enableIAMDatabaseAuthentication: false
            enablePerformanceInsights: false
            engine: mysql
            region: us-west-2
            engineVersion: 5.7.33
            licenseModel: general-public-license
            publiclyAccessible: false
            storageEncrypted: false
            storageType: gp2

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
  name: rds1
spec:
  forProvider:
    allocatedStorage: 50
    applyModificationsImmediately: false
    backupRetentionPeriod: 0
    caCertificateIdentifier: rds-ca-2019
    copyTagsToSnapshot: false
    dbInstanceClass: db.t3.medium
    deletionProtection: false
    enableIAMDatabaseAuthentication: false
    enablePerformanceInsights: false
    engine: mysql
    region: us-west-2
    engineVersion: 5.7.33
    licenseModel: general-public-license
    publiclyAccessible: false
    storageEncrypted: true
    storageType: gp2
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: database.aws.crossplane.io/v1beta1
        kind: RDSInstance
        metadata:
          name: rds2
        spec:
          forProvider:
            allocatedStorage: 50
            applyModificationsImmediately: false
            backupRetentionPeriod: 0
            caCertificateIdentifier: rds-ca-2019
            copyTagsToSnapshot: false
            dbInstanceClass: db.t3.medium
            deletionProtection: false
            enableIAMDatabaseAuthentication: false
            enablePerformanceInsights: false
            engine: mysql
            region: us-west-2
            engineVersion: 5.7.33
            licenseModel: general-public-license
            publiclyAccessible: false
            storageEncrypted: true
            storageType: gp2