DocDB Logging Is Disabled
- Query id: e6cd49ba-77ed-417f-9bca-4f5303554308
- Query name: DocDB Logging Is Disabled
- Platform: Crossplane
- Severity: Medium
- Category: Observability
- CWE: 778
- URL: Github
Description¶
DocDB logging should be enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: docdb.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
name: example-cluster-autogen-password
spec:
forProvider:
autogeneratePassword: true
availabilityZones:
- us-east-1b
- us-east-1c
dbClusterParameterGroupName: example-parameter-group
dbSubnetGroupName: example-subnet-group
engine: docdb
masterUserPasswordSecretRef:
key: password
name: my-docdb-creds
namespace: crossplane-system
masterUsername: master
region: us-east-1
skipFinalSnapshot: true
tags:
- key: cluster
value: my-cluster
vpcSecurityGroupIDsRefs:
- name: sample-cluster-sg
providerConfigRef:
name: example
Positive test num. 2 - yaml file
apiVersion: docdb.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
name: example-cluster-autogen-password
spec:
forProvider:
autogeneratePassword: true
availabilityZones:
- us-east-1b
- us-east-1c
dbClusterParameterGroupName: example-parameter-group
dbSubnetGroupName: example-subnet-group
engine: docdb
masterUserPasswordSecretRef:
key: password
name: my-docdb-creds
namespace: crossplane-system
masterUsername: master
region: us-east-1
skipFinalSnapshot: true
tags:
- key: cluster
value: my-cluster
vpcSecurityGroupIDsRefs:
- name: sample-cluster-sg
enableCloudwatchLogsExports: []
providerConfigRef:
name: example
Positive test num. 3 - yaml file
apiVersion: docdb.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
name: example-cluster-autogen-password
spec:
forProvider:
autogeneratePassword: true
availabilityZones:
- us-east-1b
- us-east-1c
dbClusterParameterGroupName: example-parameter-group
dbSubnetGroupName: example-subnet-group
engine: docdb
masterUserPasswordSecretRef:
key: password
name: my-docdb-creds
namespace: crossplane-system
masterUsername: master
region: us-east-1
skipFinalSnapshot: true
tags:
- key: cluster
value: my-cluster
vpcSecurityGroupIDsRefs:
- name: sample-cluster-sg
enableCloudwatchLogsExports:
- audit
- error
providerConfigRef:
name: example
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: docdb.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
name: example-cluster-autogen-password
spec:
forProvider:
autogeneratePassword: true
availabilityZones:
- us-east-1b
- us-east-1c
dbClusterParameterGroupName: example-parameter-group
dbSubnetGroupName: example-subnet-group
engine: docdb
masterUserPasswordSecretRef:
key: password
name: my-docdb-creds
namespace: crossplane-system
masterUsername: master
region: us-east-1
skipFinalSnapshot: true
tags:
- key: cluster
value: my-cluster
vpcSecurityGroupIDsRefs:
- name: sample-cluster-sg
enableCloudwatchLogsExports:
- audit
- profiler
providerConfigRef:
name: example