RDS DB Instance With Deletion Protection Disabled
- Query id: 2c161e58-cb52-454f-abea-6470c37b5e6e
- Query name: RDS DB Instance With Deletion Protection Disabled
- Platform: CloudFormation
- Severity: Low
- Category: Backup
- CWE: 459
- URL: Github
Description¶
RDS DBInstance should have deletion protection set to true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyKey:
Type: "AWS::KMS::Key"
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ""
- - "arn:aws:iam::"
- !Ref "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
MyDBSmall:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: !Ref DBInstanceType
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
DeletionProtection: false
KmsKeyId: !Ref MyKey
Outputs:
InstanceId:
Description: InstanceId of the newly created RDS Instance
Value: !Ref MyDBSmall
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyKey1:
Type: "AWS::KMS::Key"
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ""
- - "arn:aws:iam::"
- !Ref "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
MyDBSmall1:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: !Ref DBInstanceType
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
KmsKeyId: !Ref MyKey
Outputs:
InstanceId:
Description: InstanceId of the newly created RDS Instance
Value: !Ref MyDBSmall1
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "RDS Storage Encrypted",
"Parameters": {
"SourceDBInstanceIdentifier": {
"Type": "String"
},
"DBInstanceType": {
"Type": "String"
},
"SourceRegion": {
"Type": "String"
}
},
"Resources": {
"MyKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Version": "2012-10-17T00:00:00Z",
"Id": "key-default-1",
"Statement": [
{
"Principal": {
"AWS": [
"",
[
"arn:aws:iam::",
"AWS::AccountId",
":root"
]
]
},
"Action": "kms:*",
"Resource": "*",
"Sid": "Enable IAM User Permissions",
"Effect": "Allow"
}
]
}
}
},
"MyDBSmall": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceClass": "DBInstanceType",
"SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier",
"SourceRegion": "SourceRegion",
"DeletionProtection": false,
"KmsKeyId": "MyKey"
}
}
},
"Outputs": {
"InstanceId": {
"Description": "InstanceId of the newly created RDS Instance",
"Value": "MyDBSmall"
}
}
}
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "RDS Storage Encrypted",
"Parameters": {
"SourceDBInstanceIdentifier": {
"Type": "String"
},
"DBInstanceType": {
"Type": "String"
},
"SourceRegion": {
"Type": "String"
}
},
"Resources": {
"MyKey1": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Id": "key-default-1",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"",
[
"arn:aws:iam::",
"AWS::AccountId",
":root"
]
]
},
"Action": "kms:*",
"Resource": "*",
"Sid": "Enable IAM User Permissions"
}
],
"Version": "2012-10-17T00:00:00Z"
}
}
},
"MyDBSmall1": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"SourceRegion": "SourceRegion",
"KmsKeyId": "MyKey",
"DBInstanceClass": "DBInstanceType",
"SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier"
}
}
},
"Outputs": {
"InstanceId": {
"Description": "InstanceId of the newly created RDS Instance",
"Value": "MyDBSmall1"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyKey:
Type: "AWS::KMS::Key"
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ""
- - "arn:aws:iam::"
- !Ref "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
MyDBSmall:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: !Ref DBInstanceType
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
DeletionProtection: true
KmsKeyId: !Ref MyKey
Outputs:
InstanceId:
Description: InstanceId of the newly created RDS Instance
Value: !Ref MyDBSmall
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "RDS Storage Encrypted",
"Parameters": {
"DBInstanceType": {
"Type": "String"
},
"SourceRegion": {
"Type": "String"
},
"SourceDBInstanceIdentifier": {
"Type": "String"
}
},
"Resources": {
"MyKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"",
[
"arn:aws:iam::",
"AWS::AccountId",
":root"
]
]
},
"Action": "kms:*",
"Resource": "*"
}
],
"Version": "2012-10-17T00:00:00Z"
}
}
},
"MyDBSmall": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier",
"SourceRegion": "SourceRegion",
"DeletionProtection": true,
"KmsKeyId": "MyKey",
"DBInstanceClass": "DBInstanceType"
}
}
},
"Outputs": {
"InstanceId": {
"Description": "InstanceId of the newly created RDS Instance",
"Value": "MyDBSmall"
}
}
}