Neptune Database Cluster Encryption Disabled
- Query id: bf4473f1-c8a2-4b1b-8134-bd32efabab93
- Query name: Neptune Database Cluster Encryption Disabled
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- CWE: 312
- URL: Github
Description¶
Neptune database cluster storage should have encryption enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
NeptuneDBCluster:
Type: AWS::Neptune::DBCluster
Properties:
AssociatedRoles:
- DBClusterRole
AvailabilityZones:
- String
DBClusterIdentifier: String
DBClusterParameterGroupName: String
DBSubnetGroupName: String
DeletionProtection: true
EnableCloudwatchLogsExports:
- String
EngineVersion: String
IamAuthEnabled: true
KmsKeyId: String
Port: 8182
PreferredBackupWindow: String
PreferredMaintenanceWindow: String
RestoreToTime: String
RestoreType: String
SnapshotIdentifier: String
SourceDBClusterIdentifier: String
StorageEncrypted: false
Tags:
- Tag
UseLatestRestorableTime: true
VpcSecurityGroupIds:
- String
Positive test num. 2 - json file
{
"Resources": {
"NeptuneDBCluster": {
"Type": "AWS::Neptune::DBCluster",
"Properties": {
"DBClusterIdentifier": "String",
"EnableCloudwatchLogsExports": [
"String"
],
"EngineVersion": "String",
"Port": 8182,
"SourceDBClusterIdentifier": "String",
"Tags": [
"Tag"
],
"AssociatedRoles": [
"DBClusterRole"
],
"DBSubnetGroupName": "String",
"RestoreToTime": "String",
"StorageEncrypted": false,
"UseLatestRestorableTime": true,
"DBClusterParameterGroupName": "String",
"PreferredBackupWindow": "String",
"SnapshotIdentifier": "String",
"IamAuthEnabled": true,
"DeletionProtection": true,
"KmsKeyId": "String",
"PreferredMaintenanceWindow": "String",
"RestoreType": "String",
"VpcSecurityGroupIds": [
"String"
],
"AvailabilityZones": [
"String"
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
NeptuneDBCluster:
Type: AWS::Neptune::DBCluster
Properties:
AssociatedRoles:
- DBClusterRole
AvailabilityZones:
- String
DBClusterIdentifier: String
DBClusterParameterGroupName: String
DBSubnetGroupName: String
DeletionProtection: true
EnableCloudwatchLogsExports:
- String
EngineVersion: String
IamAuthEnabled: true
KmsKeyId: String
Port: 8182
PreferredBackupWindow: String
PreferredMaintenanceWindow: String
RestoreToTime: String
RestoreType: String
SnapshotIdentifier: String
SourceDBClusterIdentifier: String
StorageEncrypted: true
Tags:
- Tag
UseLatestRestorableTime: true
VpcSecurityGroupIds:
- String
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template",
"Resources": {
"NeptuneDBCluster": {
"Type": "AWS::Neptune::DBCluster",
"Properties": {
"AvailabilityZones": [
"String"
],
"VpcSecurityGroupIds": [
"String"
],
"Tags": [
"Tag"
],
"EnableCloudwatchLogsExports": [
"String"
],
"EngineVersion": "String",
"IamAuthEnabled": true,
"KmsKeyId": "String",
"PreferredMaintenanceWindow": "String",
"RestoreToTime": "String",
"SnapshotIdentifier": "String",
"AssociatedRoles": [
"DBClusterRole"
],
"DBClusterIdentifier": "String",
"DBClusterParameterGroupName": "String",
"DeletionProtection": true,
"Port": 8182,
"PreferredBackupWindow": "String",
"StorageEncrypted": true,
"DBSubnetGroupName": "String",
"RestoreType": "String",
"SourceDBClusterIdentifier": "String",
"UseLatestRestorableTime": true
}
}
}
}