RDS DB Instance Publicly Accessible

• Query id: c09e3ca5-f08a-4717-9c87-3919c5e6d209
• Query name: RDS DB Instance Publicly Accessible
• Platform: Ansible
• Severity: Critical
• Category: Insecure Configurations
• CWE: 668
• URL: Github

Description

RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

---
- name: community - Create a DB instance using the default AWS KMS encryption key
  community.aws.rds_instance:
    id: test-encrypted-db
    state: present
    engine: mariadb
    storage_encrypted: True
    db_instance_class: db.t2.medium
    username: "{{ username }}"
    password: "{{ password }}"
    allocated_storage: "{{ allocated_storage }}"
    publicly_accessible: Yes
- name: community - Basic mysql provisioning example
  community.aws.rds:
    command: create
    instance_name: new-database
    db_engine: MySQL
    size: 10
    instance_type: db.m1.small
    username: mysql_admin
    password: 1nsecure
    publicly_accessible: "true"
    tags:
      Environment: testing
      Application: cms

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: create RDS instance in default VPC and default subnet group02
  community.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster
    publicly_accessible: false
- name: create RDS instance in default VPC and default subnet group03
  rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster