DOCDB Cluster Encrypted With AWS Managed Key
- Query id: 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d
- Query name: DOCDB Cluster Encrypted With AWS Managed Key
- Platform: Terraform
- Severity: Medium
- Category: Encryption
- URL: Github
Description¶
DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
data "aws_kms_key" "test" {
key_id = "alias/aws/rds"
}
resource "aws_docdb_cluster" "test2" {
cluster_identifier = "my-docdb-cluster-test2"
engine = "docdb"
master_username = "foo"
master_password = "mustbeeightchars"
skip_final_snapshot = true
storage_encrypted = true
kms_key_id = data.aws_kms_key.test.arn
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
data "aws_kms_key" "test2" {
key_id = "alias/myAlias"
}
resource "aws_docdb_cluster" "test22" {
cluster_identifier = "my-docdb-cluster-test2"
engine = "docdb"
master_username = "foo"
master_password = "mustbeeightchars"
skip_final_snapshot = true
storage_encrypted = true
kms_key_id = data.aws_kms_key.test2.arn
}