Neptune Database Cluster Encryption Disabled
- Query id: 83bf5aca-138a-498e-b9cd-ad5bc5e117b4
- Query name: Neptune Database Cluster Encryption Disabled
- Platform: Crossplane
- Severity: High
- Category: Encryption
- CWE: 311
- URL: Github
Description¶
Neptune database cluster storage should have encryption enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: neptune.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
name: sample-cluster3
spec:
forProvider:
region: eu-central-1
applyImmediately: true
backupRetentionPeriod: 5
engine: neptune
enableIAMDatabaseAuthentication: true
deletionProtection: false
preferredBackupWindow: 07:00-09:00
skipFinalSnapshot: true
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: neptune.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
name: sample-cluster4
spec:
forProvider:
region: eu-central-1
applyImmediately: true
backupRetentionPeriod: 5
engine: neptune
enableIAMDatabaseAuthentication: true
deletionProtection: false
preferredBackupWindow: 07:00-09:00
skipFinalSnapshot: true
Positive test num. 2 - yaml file
apiVersion: neptune.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
name: sample-cluster3
spec:
forProvider:
region: eu-central-1
applyImmediately: true
backupRetentionPeriod: 5
engine: neptune
enableIAMDatabaseAuthentication: true
deletionProtection: false
preferredBackupWindow: 07:00-09:00
skipFinalSnapshot: true
storageEncrypted: false
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: neptune.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
name: sample-cluster4
spec:
forProvider:
region: eu-central-1
applyImmediately: true
backupRetentionPeriod: 5
engine: neptune
enableIAMDatabaseAuthentication: true
deletionProtection: false
preferredBackupWindow: 07:00-09:00
skipFinalSnapshot: true
storageEncrypted: false
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: neptune.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
name: sample-cluster
spec:
forProvider:
region: eu-central-1
applyImmediately: true
backupRetentionPeriod: 5
engine: neptune
enableIAMDatabaseAuthentication: true
deletionProtection: false
preferredBackupWindow: 07:00-09:00
skipFinalSnapshot: true
storageEncrypted: true
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: neptune.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
name: sample-cluster2
spec:
forProvider:
region: eu-central-1
applyImmediately: true
backupRetentionPeriod: 5
engine: neptune
enableIAMDatabaseAuthentication: true
deletionProtection: false
preferredBackupWindow: 07:00-09:00
skipFinalSnapshot: true
storageEncrypted: true