RDS DB Instance Publicly Accessible
- Query id: d9dc6429-5140-498a-8f55-a10daac5f000
- Query name: RDS DB Instance Publicly Accessible
- Platform: Crossplane
- Severity: Medium
- Category: Insecure Configurations
- CWE: 284
- URL: Github
Description¶
RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: sample-cluster3
spec:
forProvider:
publiclyAccessible: true
---
apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
name: my-db-subnet-group
spec:
forProvider:
description: "My DB Subnet Group"
subnetIds:
- subnet-12345678
- subnet-87654321
Positive test num. 2 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: my-rds-instance
spec:
forProvider:
engine: mysql
engineVersion: "8.0"
instanceClass: db.t2.micro
allocatedStorage: 20
dbSubnetGroupName: my-db-subnet-group
writeConnectionSecretToRef:
name: my-rds-instance-connection
---
apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
name: my-db-subnet-group
spec:
forProvider:
description: "My DB Subnet Group"
subnetIds:
- subnet-12345678
- subnet-87654321
---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
name: subnet-12345678
spec:
forProvider:
cidrBlock: "10.0.0.0/24"
vpcId: vpc-abcdef12
availabilityZone: us-west-2a
---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
name: subnet-87654321
spec:
forProvider:
cidrBlock: "10.0.0.1/24"
vpcId: vpc-abcdef12
availabilityZone: us-west-2a
---
apiVersion: network.aws.crossplane.io/v1alpha3
kind: InternetGateway
metadata:
name: my-internet-gateway
spec:
forProvider:
vpcId: vpc-abcdef12
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: sample-cluster3
spec:
forProvider:
publiclyAccessible: false
---
apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
name: my-db-subnet-group
spec:
forProvider:
description: "My DB Subnet Group"
subnetIds:
- subnet-12345678
- subnet-87654321
Negative test num. 2 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: my-rds-instance
spec:
forProvider:
engine: mysql
engineVersion: "8.0"
instanceClass: db.t2.micro
allocatedStorage: 20
dbSubnetGroupName: my-db-subnet-group
writeConnectionSecretToRef:
name: my-rds-instance-connection
---
apiVersion: database.aws.crossplane.io/v1alpha3
kind: DBSubnetGroup
metadata:
name: my-db-subnet-group
spec:
forProvider:
description: "My DB Subnet Group"
subnetIds:
- subnet-12345678
- subnet-87654321
---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
name: subnet-12345678
spec:
forProvider:
cidrBlock: "10.0.0.0/24"
vpcId: vpc-abcdef12
availabilityZone: us-west-2a
---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
name: subnet-87654321
spec:
forProvider:
cidrBlock: "10.0.0.1/24"
vpcId: vpc-abcdef12
availabilityZone: us-west-2a
---
apiVersion: network.aws.crossplane.io/v1alpha3
kind: InternetGateway
metadata:
name: my-internet-gateway
spec:
forProvider:
vpcId: vpc-abcdef12345