DB Instance Storage Not Encrypted
- Query id: 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff
- Query name: DB Instance Storage Not Encrypted
- Platform: Ansible
- Severity: High
- Category: Encryption
- CWE: 311
- URL: Github
Description¶
AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: foo
community.aws.rds_instance:
id: test-encrypted-db
state: present
engine: mariadb
storage_encrypted: False
db_instance_class: db.t2.medium
username: "{{ username }}"
password: "{{ password }}"
allocated_storage: "{{ allocated_storage }}"
- name: foo2
community.aws.rds_instance:
id: test-encrypted-db
state: present
engine: mariadb
storage_encrypted: no
db_instance_class: db.t2.medium
username: "{{ username }}"
password: "{{ password }}"
allocated_storage: "{{ allocated_storage }}"
- name: foo3
community.aws.rds_instance:
id: test-encrypted-db
state: present
engine: mariadb
db_instance_class: db.t2.medium
username: "{{ username }}"
password: "{{ password }}"
allocated_storage: "{{ allocated_storage }}"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: foo
community.aws.rds_instance:
id: test-encrypted-db
state: present
engine: mariadb
storage_encrypted: true
db_instance_class: db.t2.medium
username: '{{ username }}'
password: '{{ password }}'
allocated_storage: '{{ allocated_storage }}'
- name: foo2
community.aws.rds_instance:
id: test-encrypted-db
state: present
engine: mariadb
storage_encrypted: yes
db_instance_class: db.t2.medium
username: '{{ username }}'
password: '{{ password }}'
allocated_storage: '{{ allocated_storage }}'
- name: foo3
community.aws.rds_instance:
id: test-encrypted-db
state: present
engine: mariadb
kms_key_id: sup3rstr0ngK3y
db_instance_class: db.t2.medium
username: '{{ username }}'
password: '{{ password }}'
allocated_storage: '{{ allocated_storage }}'