RDS Storage Encryption Disabled
- Query id: 65844ba3-03a1-40a8-b3dd-919f122e8c95
- Query name: RDS Storage Encryption Disabled
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- CWE: Ongoing
- URL: Github
Description¶
RDS DBCluster should have storage encrypted set to true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster
Resources:
RDSCluster:
Properties:
DBClusterParameterGroupName:
Ref: RDSDBClusterParameterGroup
DBSubnetGroupName: DBSubnetGroup
Engine: aurora
MasterUserPassword: password
MasterUsername: username
StorageEncrypted: false
Type: "AWS::RDS::DBCluster"
RDSDBClusterParameterGroup:
Properties:
Description: "CloudFormation Sample Aurora Cluster Parameter Group"
Family: aurora5.6
Parameters:
time_zone: US/Eastern
Type: "AWS::RDS::DBClusterParameterGroup"
RDSDBInstance1:
Properties:
AvailabilityZone: eu-west-1b
DBClusterIdentifier:
Ref: RDSCluster
DBInstanceClass: db.r3.xlarge
DBParameterGroupName:
Ref: RDSDBParameterGroup
DBSubnetGroupName: DBSubnetGroup
Engine: aurora
PubliclyAccessible: "true"
Type: "AWS::RDS::DBInstance"
RDSDBInstance2:
Properties:
AvailabilityZone: eu-west-1b
DBClusterIdentifier:
Ref: RDSCluster
DBInstanceClass: db.r3.xlarge
DBParameterGroupName:
Ref: RDSDBParameterGroup
DBSubnetGroupName: DBSubnetGroup
Engine: aurora
PubliclyAccessible: "true"
Type: "AWS::RDS::DBInstance"
RDSDBParameterGroup:
Type: 'AWS::RDS::DBParameterGroup'
Properties:
Description: CloudFormation Sample Aurora Parameter Group
Family: aurora5.6
Parameters:
sql_mode: IGNORE_SPACE
max_allowed_packet: 1024
innodb_buffer_pool_size: '{DBInstanceClassMemory*3/4}'
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster
Resources:
RDSCluster1:
Properties:
DBClusterParameterGroupName:
Ref: RDSDBClusterParameterGroup
DBSubnetGroupName: DBSubnetGroup
Engine: aurora
MasterUserPassword: password
MasterUsername: username
Type: "AWS::RDS::DBCluster"
RDSDBClusterParameterGroup:
Properties:
Description: "CloudFormation Sample Aurora Cluster Parameter Group"
Family: aurora5.6
Parameters:
time_zone: US/Eastern
Type: "AWS::RDS::DBClusterParameterGroup"
RDSDBInstance1:
Properties:
AvailabilityZone: eu-west-1b
DBClusterIdentifier:
Ref: RDSCluster
DBInstanceClass: db.r3.xlarge
DBParameterGroupName:
Ref: RDSDBParameterGroup
DBSubnetGroupName: DBSubnetGroup
Engine: aurora
PubliclyAccessible: "true"
Type: "AWS::RDS::DBInstance"
RDSDBInstance2:
Properties:
AvailabilityZone: eu-west-1b
DBClusterIdentifier:
Ref: RDSCluster
DBInstanceClass: db.r3.xlarge
DBParameterGroupName:
Ref: RDSDBParameterGroup
DBSubnetGroupName: DBSubnetGroup
Engine: aurora
PubliclyAccessible: "true"
Type: "AWS::RDS::DBInstance"
RDSDBParameterGroup:
Type: 'AWS::RDS::DBParameterGroup'
Properties:
Description: CloudFormation Sample Aurora Parameter Group
Family: aurora5.6
Parameters:
sql_mode: IGNORE_SPACE
max_allowed_packet: 1024
innodb_buffer_pool_size: '{DBInstanceClassMemory*3/4}'
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates RDS Cluster",
"Resources": {
"RDSCluster": {
"Properties": {
"MasterUserPassword": "password",
"MasterUsername": "username",
"StorageEncrypted": false,
"DBClusterParameterGroupName": {
"Ref": "RDSDBClusterParameterGroup"
},
"DBSubnetGroupName": "DBSubnetGroup",
"Engine": "aurora"
},
"Type": "AWS::RDS::DBCluster"
},
"RDSDBClusterParameterGroup": {
"Properties": {
"Description": "CloudFormation Sample Aurora Cluster Parameter Group",
"Family": "aurora5.6",
"Parameters": {
"time_zone": "US/Eastern"
}
},
"Type": "AWS::RDS::DBClusterParameterGroup"
},
"RDSDBInstance1": {
"Properties": {
"DBInstanceClass": "db.r3.xlarge",
"DBParameterGroupName": {
"Ref": "RDSDBParameterGroup"
},
"DBSubnetGroupName": "DBSubnetGroup",
"Engine": "aurora",
"PubliclyAccessible": "true",
"AvailabilityZone": "eu-west-1b",
"DBClusterIdentifier": {
"Ref": "RDSCluster"
}
},
"Type": "AWS::RDS::DBInstance"
},
"RDSDBInstance2": {
"Properties": {
"DBClusterIdentifier": {
"Ref": "RDSCluster"
},
"DBInstanceClass": "db.r3.xlarge",
"DBParameterGroupName": {
"Ref": "RDSDBParameterGroup"
},
"DBSubnetGroupName": "DBSubnetGroup",
"Engine": "aurora",
"PubliclyAccessible": "true",
"AvailabilityZone": "eu-west-1b"
},
"Type": "AWS::RDS::DBInstance"
},
"RDSDBParameterGroup": {
"Type": "AWS::RDS::DBParameterGroup",
"Properties": {
"Description": "CloudFormation Sample Aurora Parameter Group",
"Family": "aurora5.6",
"Parameters": {
"max_allowed_packet": 1024,
"innodb_buffer_pool_size": "{DBInstanceClassMemory*3/4}",
"sql_mode": "IGNORE_SPACE"
}
}
}
}
}
Positive test num. 4 - json file
{
"Description": "Creates RDS Cluster",
"Resources": {
"RDSDBClusterParameterGroup": {
"Properties": {
"Description": "CloudFormation Sample Aurora Cluster Parameter Group",
"Family": "aurora5.6",
"Parameters": {
"time_zone": "US/Eastern"
}
},
"Type": "AWS::RDS::DBClusterParameterGroup"
},
"RDSDBInstance1": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"PubliclyAccessible": "true",
"AvailabilityZone": "eu-west-1b",
"DBClusterIdentifier": {
"Ref": "RDSCluster"
},
"DBInstanceClass": "db.r3.xlarge",
"DBParameterGroupName": {
"Ref": "RDSDBParameterGroup"
},
"DBSubnetGroupName": "DBSubnetGroup",
"Engine": "aurora"
}
},
"RDSDBInstance2": {
"Properties": {
"DBInstanceClass": "db.r3.xlarge",
"DBParameterGroupName": {
"Ref": "RDSDBParameterGroup"
},
"DBSubnetGroupName": "DBSubnetGroup",
"Engine": "aurora",
"PubliclyAccessible": "true",
"AvailabilityZone": "eu-west-1b",
"DBClusterIdentifier": {
"Ref": "RDSCluster"
}
},
"Type": "AWS::RDS::DBInstance"
},
"RDSDBParameterGroup": {
"Properties": {
"Parameters": {
"sql_mode": "IGNORE_SPACE",
"max_allowed_packet": 1024,
"innodb_buffer_pool_size": "{DBInstanceClassMemory*3/4}"
},
"Description": "CloudFormation Sample Aurora Parameter Group",
"Family": "aurora5.6"
},
"Type": "AWS::RDS::DBParameterGroup"
},
"RDSCluster1": {
"Properties": {
"Engine": "aurora",
"MasterUserPassword": "password",
"MasterUsername": "username",
"DBClusterParameterGroupName": {
"Ref": "RDSDBClusterParameterGroup"
},
"DBSubnetGroupName": "DBSubnetGroup"
},
"Type": "AWS::RDS::DBCluster"
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}
Positive test num. 5 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
NoEncryption:
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBClusterIdentifier: aurora-postgresql-cluster
Engine: aurora-postgresql
EngineVersion: '10.7'
DBClusterParameterGroupName: default.aurora-postgresql10
BackupRetentionPeriod: 7
EnableCloudwatchLogsExports:
- postgresql
BackupRetention:
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: !Ref DBUsername
StorageEncrypted: true
MasterUserPassword: !Ref DBPassword
DBClusterIdentifier: aurora-postgresql-cluster
Engine: aurora-postgresql
EngineVersion: '10.7'
DBClusterParameterGroupName: default.aurora-postgresql10
EnableCloudwatchLogsExports:
- postgresql
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster
Resources:
RDSCluster:
Properties:
DBClusterParameterGroupName:
Ref: RDSDBClusterParameterGroup
DBSubnetGroupName: DBSubnetGroup
Engine: aurora
MasterUserPassword: password
MasterUsername: username
StorageEncrypted: true
Type: "AWS::RDS::DBCluster"
RDSDBClusterParameterGroup:
Properties:
Description: "CloudFormation Sample Aurora Cluster Parameter Group"
Family: aurora5.6
Parameters:
time_zone: US/Eastern
Type: "AWS::RDS::DBClusterParameterGroup"
RDSDBInstance1:
Properties:
AvailabilityZone: eu-west-1b
DBClusterIdentifier:
Ref: RDSCluster
DBInstanceClass: db.r3.xlarge
DBParameterGroupName:
Ref: RDSDBParameterGroup
DBSubnetGroupName: DBSubnetGroup
Engine: aurora
PubliclyAccessible: "true"
Type: "AWS::RDS::DBInstance"
RDSDBInstance2:
Properties:
AvailabilityZone: eu-west-1b
DBClusterIdentifier:
Ref: RDSCluster
DBInstanceClass: db.r3.xlarge
DBParameterGroupName:
Ref: RDSDBParameterGroup
DBSubnetGroupName: DBSubnetGroup
Engine: aurora
PubliclyAccessible: "true"
Type: "AWS::RDS::DBInstance"
RDSDBParameterGroup:
Type: 'AWS::RDS::DBParameterGroup'
Properties:
Description: CloudFormation Sample Aurora Parameter Group
Family: aurora5.6
Parameters:
sql_mode: IGNORE_SPACE
max_allowed_packet: 1024
innodb_buffer_pool_size: '{DBInstanceClassMemory*3/4}'
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates RDS Cluster",
"Resources": {
"RDSDBClusterParameterGroup": {
"Properties": {
"Description": "CloudFormation Sample Aurora Cluster Parameter Group",
"Family": "aurora5.6",
"Parameters": {
"time_zone": "US/Eastern"
}
},
"Type": "AWS::RDS::DBClusterParameterGroup"
},
"RDSDBInstance1": {
"Properties": {
"PubliclyAccessible": "true",
"AvailabilityZone": "eu-west-1b",
"DBClusterIdentifier": {
"Ref": "RDSCluster"
},
"DBInstanceClass": "db.r3.xlarge",
"DBParameterGroupName": {
"Ref": "RDSDBParameterGroup"
},
"DBSubnetGroupName": "DBSubnetGroup",
"Engine": "aurora"
},
"Type": "AWS::RDS::DBInstance"
},
"RDSDBInstance2": {
"Properties": {
"PubliclyAccessible": "true",
"AvailabilityZone": "eu-west-1b",
"DBClusterIdentifier": {
"Ref": "RDSCluster"
},
"DBInstanceClass": "db.r3.xlarge",
"DBParameterGroupName": {
"Ref": "RDSDBParameterGroup"
},
"DBSubnetGroupName": "DBSubnetGroup",
"Engine": "aurora"
},
"Type": "AWS::RDS::DBInstance"
},
"RDSDBParameterGroup": {
"Type": "AWS::RDS::DBParameterGroup",
"Properties": {
"Description": "CloudFormation Sample Aurora Parameter Group",
"Family": "aurora5.6",
"Parameters": {
"sql_mode": "IGNORE_SPACE",
"max_allowed_packet": 1024,
"innodb_buffer_pool_size": "{DBInstanceClassMemory*3/4}"
}
}
},
"RDSCluster": {
"Properties": {
"DBSubnetGroupName": "DBSubnetGroup",
"Engine": "aurora",
"MasterUserPassword": "password",
"MasterUsername": "username",
"StorageEncrypted": true,
"DBClusterParameterGroupName": {
"Ref": "RDSDBClusterParameterGroup"
}
},
"Type": "AWS::RDS::DBCluster"
}
}
}