RDS Associated with Public Subnet

  • Query id: 4e88adee-a8eb-4605-a78d-9fb1096e3091
  • Query name: RDS Associated with Public Subnet
  • Platform: CloudFormation
  • Severity: Critical
  • Category: Networking and Firewall
  • CWE: 200
  • URL: Github

Description

RDS should not run in public subnet
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
 Positive1:
  Type: AWS::RDS::DBInstance
  Properties:
    AllocatedStorage: '5'
    DBInstanceClass: db.t2.small
    Engine: oracle-ee
    LicenseModel: bring-your-own-license
    MasterUsername: master
    MasterUserPassword: SecretPassword01
    BackupRetentionPeriod: 7
    DBSubnetGroupName:
       Ref: myDBSubnetGroup
  DeletionPolicy: Snapshot
 myDBSubnetGroup: 
    Properties: 
      DBSubnetGroupDescription: description
      SubnetIds: 
        - Ref: mySubnet1
        - Ref: mySubnet2
      Tags: 
        - 
          Key: String
          Value: String
    Type: "AWS::RDS::DBSubnetGroup"
 mySubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: myVPC
      CidrBlock: 10.0.0.0/24
      AvailabilityZone: "us-east-1a"
      Tags:
      - Key: stack
        Value: production
 mySubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: myVPC
      CidrBlock: 0.0.0.0/0
      AvailabilityZone: "us-east-1a"
      Tags:
      - Key: stack
        Value: production
Positive test num. 2 - json file
{
  "Resources": {
    "Positive1": {
      "DeletionPolicy": "Snapshot",
      "Properties": {
        "AllocatedStorage": "5",
        "BackupRetentionPeriod": 7,
        "DBInstanceClass": "db.t2.small",
        "DBSubnetGroupName": {
          "Ref": "myDBSubnetGroup"
        },
        "Engine": "oracle-ee",
        "LicenseModel": "bring-your-own-license",
        "MasterUserPassword": "SecretPassword01",
        "MasterUsername": "master"
      },
      "Type": "AWS::RDS::DBInstance"
    },
    "myDBSubnetGroup": {
      "Properties": {
        "DBSubnetGroupDescription": "description",
        "SubnetIds": [
          {
            "Ref": "mySubnet1"
          },
          {
            "Ref": "mySubnet2"
          }
        ],
        "Tags": [
          {
            "Key": "String",
            "Value": "String"
          }
        ]
      },
      "Type": "AWS::RDS::DBSubnetGroup"
    },
    "mySubnet1": {
      "Properties": {
        "AvailabilityZone": "us-east-1a",
        "CidrBlock": "10.0.0.0/24",
        "Tags": [
          {
            "Key": "stack",
            "Value": "production"
          }
        ],
        "VpcId": {
          "Ref": "myVPC"
        }
      },
      "Type": "AWS::EC2::Subnet"
    },
    "mySubnet2": {
      "Properties": {
        "AvailabilityZone": "us-east-1a",
        "CidrBlock": "0.0.0.0/0",
        "Tags": [
          {
            "Key": "stack",
            "Value": "production"
          }
        ],
        "VpcId": {
          "Ref": "myVPC"
        }
      },
      "Type": "AWS::EC2::Subnet"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
 Negative1:
  Type: AWS::RDS::DBInstance
  Properties:
    AllocatedStorage: '5'
    DBInstanceClass: db.t2.small
    Engine: oracle-ee
    LicenseModel: bring-your-own-license
    MasterUsername: master
    MasterUserPassword: SecretPassword01
    BackupRetentionPeriod: 7
    DBSubnetGroupName:
       Ref: myDBSubnetGroup0
  DeletionPolicy: Snapshot
 myDBSubnetGroup0: 
    Properties: 
      DBSubnetGroupDescription: description
      SubnetIds: 
        - Ref: mySubnet10
      Tags: 
        - 
          Key: String
          Value: String
    Type: "AWS::RDS::DBSubnetGroup"
 mySubnet10:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: myVPC
      CidrBlock: 10.0.0.0/24
      AvailabilityZone: "us-east-1a"
      Tags:
      - Key: stack
        Value: production
Negative test num. 2 - json file
{
  "Resources": {
    "Negative1": {
      "DeletionPolicy": "Snapshot",
      "Properties": {
        "AllocatedStorage": "5",
        "BackupRetentionPeriod": 7,
        "DBInstanceClass": "db.t2.small",
        "DBSubnetGroupName": {
          "Ref": "myDBSubnetGroup0"
        },
        "Engine": "oracle-ee",
        "LicenseModel": "bring-your-own-license",
        "MasterUserPassword": "SecretPassword01",
        "MasterUsername": "master"
      },
      "Type": "AWS::RDS::DBInstance"
    },
    "myDBSubnetGroup0": {
      "Properties": {
        "DBSubnetGroupDescription": "description",
        "SubnetIds": [
          {
            "Ref": "mySubnet10"
          }
        ],
        "Tags": [
          {
            "Key": "String",
            "Value": "String"
          }
        ]
      },
      "Type": "AWS::RDS::DBSubnetGroup"
    },
    "mySubnet10": {
      "Properties": {
        "AvailabilityZone": "us-east-1a",
        "CidrBlock": "10.0.0.0/24",
        "Tags": [
          {
            "Key": "stack",
            "Value": "production"
          }
        ],
        "VpcId": {
          "Ref": "myVPC"
        }
      },
      "Type": "AWS::EC2::Subnet"
    }
  }
}