RDS Associated with Public Subnet
- Query id: 4e88adee-a8eb-4605-a78d-9fb1096e3091
- Query name: RDS Associated with Public Subnet
- Platform: CloudFormation
- Severity: Critical
- Category: Networking and Firewall
- CWE: 200
- URL: Github
Description¶
RDS should not run in public subnet
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
Positive1:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
Engine: oracle-ee
LicenseModel: bring-your-own-license
MasterUsername: master
MasterUserPassword: SecretPassword01
BackupRetentionPeriod: 7
DBSubnetGroupName:
Ref: myDBSubnetGroup
DeletionPolicy: Snapshot
myDBSubnetGroup:
Properties:
DBSubnetGroupDescription: description
SubnetIds:
- Ref: mySubnet1
- Ref: mySubnet2
Tags:
-
Key: String
Value: String
Type: "AWS::RDS::DBSubnetGroup"
mySubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: "us-east-1a"
Tags:
- Key: stack
Value: production
mySubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: myVPC
CidrBlock: 0.0.0.0/0
AvailabilityZone: "us-east-1a"
Tags:
- Key: stack
Value: production
Positive test num. 2 - json file
{
"Resources": {
"Positive1": {
"DeletionPolicy": "Snapshot",
"Properties": {
"AllocatedStorage": "5",
"BackupRetentionPeriod": 7,
"DBInstanceClass": "db.t2.small",
"DBSubnetGroupName": {
"Ref": "myDBSubnetGroup"
},
"Engine": "oracle-ee",
"LicenseModel": "bring-your-own-license",
"MasterUserPassword": "SecretPassword01",
"MasterUsername": "master"
},
"Type": "AWS::RDS::DBInstance"
},
"myDBSubnetGroup": {
"Properties": {
"DBSubnetGroupDescription": "description",
"SubnetIds": [
{
"Ref": "mySubnet1"
},
{
"Ref": "mySubnet2"
}
],
"Tags": [
{
"Key": "String",
"Value": "String"
}
]
},
"Type": "AWS::RDS::DBSubnetGroup"
},
"mySubnet1": {
"Properties": {
"AvailabilityZone": "us-east-1a",
"CidrBlock": "10.0.0.0/24",
"Tags": [
{
"Key": "stack",
"Value": "production"
}
],
"VpcId": {
"Ref": "myVPC"
}
},
"Type": "AWS::EC2::Subnet"
},
"mySubnet2": {
"Properties": {
"AvailabilityZone": "us-east-1a",
"CidrBlock": "0.0.0.0/0",
"Tags": [
{
"Key": "stack",
"Value": "production"
}
],
"VpcId": {
"Ref": "myVPC"
}
},
"Type": "AWS::EC2::Subnet"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
Negative1:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
Engine: oracle-ee
LicenseModel: bring-your-own-license
MasterUsername: master
MasterUserPassword: SecretPassword01
BackupRetentionPeriod: 7
DBSubnetGroupName:
Ref: myDBSubnetGroup0
DeletionPolicy: Snapshot
myDBSubnetGroup0:
Properties:
DBSubnetGroupDescription: description
SubnetIds:
- Ref: mySubnet10
Tags:
-
Key: String
Value: String
Type: "AWS::RDS::DBSubnetGroup"
mySubnet10:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: "us-east-1a"
Tags:
- Key: stack
Value: production
Negative test num. 2 - json file
{
"Resources": {
"Negative1": {
"DeletionPolicy": "Snapshot",
"Properties": {
"AllocatedStorage": "5",
"BackupRetentionPeriod": 7,
"DBInstanceClass": "db.t2.small",
"DBSubnetGroupName": {
"Ref": "myDBSubnetGroup0"
},
"Engine": "oracle-ee",
"LicenseModel": "bring-your-own-license",
"MasterUserPassword": "SecretPassword01",
"MasterUsername": "master"
},
"Type": "AWS::RDS::DBInstance"
},
"myDBSubnetGroup0": {
"Properties": {
"DBSubnetGroupDescription": "description",
"SubnetIds": [
{
"Ref": "mySubnet10"
}
],
"Tags": [
{
"Key": "String",
"Value": "String"
}
]
},
"Type": "AWS::RDS::DBSubnetGroup"
},
"mySubnet10": {
"Properties": {
"AvailabilityZone": "us-east-1a",
"CidrBlock": "10.0.0.0/24",
"Tags": [
{
"Key": "stack",
"Value": "production"
}
],
"VpcId": {
"Ref": "myVPC"
}
},
"Type": "AWS::EC2::Subnet"
}
}
}