DB Instance Storage Not Encrypted

  • Query id: 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff
  • Query name: DB Instance Storage Not Encrypted
  • Platform: Ansible
  • Severity: High
  • Category: Encryption
  • CWE: 311
  • URL: Github

Description

AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: foo
  community.aws.rds_instance:
    id: test-encrypted-db
    state: present
    engine: mariadb
    storage_encrypted: False
    db_instance_class: db.t2.medium
    username: "{{ username }}"
    password: "{{ password }}"
    allocated_storage: "{{ allocated_storage }}"
- name: foo2
  community.aws.rds_instance:
    id: test-encrypted-db
    state: present
    engine: mariadb
    storage_encrypted: no
    db_instance_class: db.t2.medium
    username: "{{ username }}"
    password: "{{ password }}"
    allocated_storage: "{{ allocated_storage }}"
- name: foo3
  community.aws.rds_instance:
    id: test-encrypted-db
    state: present
    engine: mariadb
    db_instance_class: db.t2.medium
    username: "{{ username }}"
    password: "{{ password }}"
    allocated_storage: "{{ allocated_storage }}"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: foo
  community.aws.rds_instance:
    id: test-encrypted-db
    state: present
    engine: mariadb
    storage_encrypted: true
    db_instance_class: db.t2.medium
    username: '{{ username }}'
    password: '{{ password }}'
    allocated_storage: '{{ allocated_storage }}'
- name: foo2
  community.aws.rds_instance:
    id: test-encrypted-db
    state: present
    engine: mariadb
    storage_encrypted: yes
    db_instance_class: db.t2.medium
    username: '{{ username }}'
    password: '{{ password }}'
    allocated_storage: '{{ allocated_storage }}'
- name: foo3
  community.aws.rds_instance:
    id: test-encrypted-db
    state: present
    engine: mariadb
    kms_key_id: sup3rstr0ngK3y
    db_instance_class: db.t2.medium
    username: '{{ username }}'
    password: '{{ password }}'
    allocated_storage: '{{ allocated_storage }}'