RDS DB Instance Publicly Accessible
- Query id: c09e3ca5-f08a-4717-9c87-3919c5e6d209
- Query name: RDS DB Instance Publicly Accessible
- Platform: Ansible
- Severity: Critical
- Category: Insecure Configurations
- CWE: Ongoing
- URL: Github
Description¶
RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: community - Create a DB instance using the default AWS KMS encryption key
community.aws.rds_instance:
id: test-encrypted-db
state: present
engine: mariadb
storage_encrypted: True
db_instance_class: db.t2.medium
username: "{{ username }}"
password: "{{ password }}"
allocated_storage: "{{ allocated_storage }}"
publicly_accessible: Yes
- name: community - Basic mysql provisioning example
community.aws.rds:
command: create
instance_name: new-database
db_engine: MySQL
size: 10
instance_type: db.m1.small
username: mysql_admin
password: 1nsecure
publicly_accessible: "true"
tags:
Environment: testing
Application: cms
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: create RDS instance in default VPC and default subnet group02
community.aws.rds_instance:
engine: aurora
db_instance_identifier: ansible-test-aurora-db-instance
instance_type: db.t2.small
password: '{{ password }}'
username: '{{ username }}'
cluster_id: ansible-test-cluster
publicly_accessible: false
- name: create RDS instance in default VPC and default subnet group03
rds_instance:
engine: aurora
db_instance_identifier: ansible-test-aurora-db-instance
instance_type: db.t2.small
password: '{{ password }}'
username: '{{ username }}'
cluster_id: ansible-test-cluster