BOM - AWS DynamoDB

  • Query id: 4e67c0ae-38a0-47f4-a50c-f0c9b75826df
  • Query name: BOM - AWS DynamoDB
  • Platform: CloudFormation
  • Severity: Trace
  • Category: Bill Of Materials
  • CWE: Ongoing
  • URL: Github

Description

A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  DynamoDBEndpoint:
    Type: "AWS::EC2::VPCEndpoint"
    Properties:
      RouteTableIds:
        - !Ref PublicRouteTable
        - !Ref Private0RouteTable
        - !Ref Private1RouteTable
        - !Ref Private2RouteTable
      ServiceName:
        !Sub "com.amazonaws.${AWS::Region}.dynamodb"
      VpcId: !Ref VPC
      PolicyDocument: {
        "Id": "Policy",
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "Statement",
            "Action": "dynamodb:*",
            "Effect": "Allow",
            "Resource": "arn:aws:dynamodb:ap-southeast-2:123412341234:table/test",
            "Principal": "*"
          }
        ]
      }
  DynamoDBOnDemandTable2:
    Type: "AWS::DynamoDB::Table"
    Properties:
      TableName: test
      AttributeDefinitions:
        - AttributeName: pk
          AttributeType: S
      KeySchema:
        - AttributeName: pk
          KeyType: HASH
      BillingMode: PAY_PER_REQUEST
      SSESpecification:
        SSEEnabled: false
        SSEType: "KMS"
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  DynamoDBEndpoint:
    Type: "AWS::EC2::VPCEndpoint"
    Properties:
      RouteTableIds:
        - !Ref PublicRouteTable
        - !Ref Private0RouteTable
        - !Ref Private1RouteTable
        - !Ref Private2RouteTable
      ServiceName:
        !Sub "com.amazonaws.${AWS::Region}.dynamodb"
      VpcId: !Ref VPC
      PolicyDocument: {
        "Id": "Policy",
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "Statement",
            "Action": "dynamodb:*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
          }
        ]
      }
  DynamoDBOnDemandTable2:
    Type: "AWS::DynamoDB::Table"
    Properties:
      TableName: test2
      AttributeDefinitions:
        - AttributeName: pk
          AttributeType: S
      KeySchema:
        - AttributeName: pk
          KeyType: HASH
      BillingMode: PAY_PER_REQUEST
      SSESpecification:
        SSEEnabled: false
        SSEType: "KMS"
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  DynamoDBEndpoint:
    Type: "AWS::EC2::VPCEndpoint"
    Properties:
      RouteTableIds:
        - !Ref PublicRouteTable
        - !Ref Private0RouteTable
        - !Ref Private1RouteTable
        - !Ref Private2RouteTable
      ServiceName:
        !Sub "com.amazonaws.${AWS::Region}.dynamodb"
      VpcId: !Ref VPC
      PolicyDocument: {
        "Id": "Policy",
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "Statement",
            "Action": "dynamodb:*",
            "Effect": "Allow",
            "Resource": "arn:aws:dynamodb:ap-southeast-2:123412341234:table/other",
            "Principal": "*"
          }
        ]
      }
  DynamoDBOnDemandTable2:
    Type: "AWS::DynamoDB::Table"
    Properties:
      TableName: test3
      AttributeDefinitions:
        - AttributeName: pk
          AttributeType: S
      KeySchema:
        - AttributeName: pk
          KeyType: HASH
      BillingMode: PAY_PER_REQUEST
      SSESpecification:
        SSEEnabled: false
        SSEType: "KMS"

Positive test num. 4 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  DynamoDBOnDemandTable2:
    Type: "AWS::DynamoDB::Table"
    Properties:
      TableName: test4
      AttributeDefinitions:
        - AttributeName: pk
          AttributeType: S
      KeySchema:
        - AttributeName: pk
          KeyType: HASH
      BillingMode: PAY_PER_REQUEST
      SSESpecification:
        SSEEnabled: false
        SSEType: "KMS"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true