DB Instance Storage Not Encrypted
- Query id: e50eb68a-a4af-4048-8bbe-8ec324421469
- Query name: DB Instance Storage Not Encrypted
- Platform: Crossplane
- Severity: High
- Category: Encryption
- CWE: 311
- URL: Github
Description¶
RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: rds3
spec:
forProvider:
allocatedStorage: 50
applyModificationsImmediately: false
backupRetentionPeriod: 0
caCertificateIdentifier: rds-ca-2019
copyTagsToSnapshot: false
dbInstanceClass: db.t3.medium
deletionProtection: false
enableIAMDatabaseAuthentication: false
enablePerformanceInsights: false
engine: mysql
region: us-west-2
engineVersion: 5.7.33
licenseModel: general-public-license
publiclyAccessible: false
storageEncrypted: false
storageType: gp2
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: rds4
spec:
forProvider:
allocatedStorage: 50
applyModificationsImmediately: false
backupRetentionPeriod: 0
caCertificateIdentifier: rds-ca-2019
copyTagsToSnapshot: false
dbInstanceClass: db.t3.medium
deletionProtection: false
enableIAMDatabaseAuthentication: false
enablePerformanceInsights: false
engine: mysql
region: us-west-2
engineVersion: 5.7.33
licenseModel: general-public-license
publiclyAccessible: false
storageEncrypted: false
storageType: gp2
Positive test num. 2 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: rds5
spec:
forProvider:
allocatedStorage: 50
applyModificationsImmediately: false
backupRetentionPeriod: 0
caCertificateIdentifier: rds-ca-2019
copyTagsToSnapshot: false
dbInstanceClass: db.t3.medium
deletionProtection: false
enableIAMDatabaseAuthentication: false
enablePerformanceInsights: false
engine: mysql
region: us-west-2
engineVersion: 5.7.33
licenseModel: general-public-license
publiclyAccessible: false
storageType: gp2
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: rds6
spec:
forProvider:
allocatedStorage: 50
applyModificationsImmediately: false
backupRetentionPeriod: 0
caCertificateIdentifier: rds-ca-2019
copyTagsToSnapshot: false
dbInstanceClass: db.t3.medium
deletionProtection: false
enableIAMDatabaseAuthentication: false
enablePerformanceInsights: false
engine: mysql
region: us-west-2
engineVersion: 5.7.33
licenseModel: general-public-license
publiclyAccessible: false
storageType: gp2
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: rds1
spec:
forProvider:
allocatedStorage: 50
applyModificationsImmediately: false
backupRetentionPeriod: 0
caCertificateIdentifier: rds-ca-2019
copyTagsToSnapshot: false
dbInstanceClass: db.t3.medium
deletionProtection: false
enableIAMDatabaseAuthentication: false
enablePerformanceInsights: false
engine: mysql
region: us-west-2
engineVersion: 5.7.33
licenseModel: general-public-license
publiclyAccessible: false
storageEncrypted: true
storageType: gp2
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: rds2
spec:
forProvider:
allocatedStorage: 50
applyModificationsImmediately: false
backupRetentionPeriod: 0
caCertificateIdentifier: rds-ca-2019
copyTagsToSnapshot: false
dbInstanceClass: db.t3.medium
deletionProtection: false
enableIAMDatabaseAuthentication: false
enablePerformanceInsights: false
engine: mysql
region: us-west-2
engineVersion: 5.7.33
licenseModel: general-public-license
publiclyAccessible: false
storageEncrypted: true
storageType: gp2