RDS Database Cluster not Encrypted
- Query id: 656880aa-1388-488f-a6d4-8f73c23149b2
- Query name: RDS Database Cluster not Encrypted
- Platform: Terraform
- Severity: High
- Category: Encryption
- URL: Github
Description¶
RDS Database Cluster Encryption should be enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_db_cluster_snapshot" "positive1" {
db_cluster_identifier = aws_rds_cluster.example2.id
db_cluster_snapshot_identifier = "resourcetestsnapshot1234"
}
resource "aws_rds_cluster" "example2" {
cluster_identifier = "example"
db_subnet_group_name = aws_db_subnet_group.example.name
engine_mode = "multimaster"
master_password = "barbarbarbar"
master_username = "foo"
skip_final_snapshot = true
}
Positive test num. 2 - tf file
resource "aws_db_cluster_snapshot" "positive2" {
db_cluster_identifier = aws_rds_cluster.example3.id
db_cluster_snapshot_identifier = "resourcetestsnapshot1234"
}
resource "aws_rds_cluster" "example3" {
cluster_identifier = "example"
db_subnet_group_name = aws_db_subnet_group.example.name
engine_mode = "multimaster"
master_password = "barbarbarbar"
master_username = "foo"
skip_final_snapshot = true
storage_encrypted = false
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_db_cluster_snapshot" "negative" {
db_cluster_identifier = aws_rds_cluster.example.id
db_cluster_snapshot_identifier = "resourcetestsnapshot1234"
}
resource "aws_rds_cluster" "example" {
cluster_identifier = "example"
db_subnet_group_name = aws_db_subnet_group.example.name
engine_mode = "multimaster"
master_password = "barbarbarbar"
master_username = "foo"
skip_final_snapshot = true
storage_encrypted = true
}