DocDB Logging Is Disabled

  • Query id: e6cd49ba-77ed-417f-9bca-4f5303554308
  • Query name: DocDB Logging Is Disabled
  • Platform: Crossplane
  • Severity: Medium
  • Category: Observability
  • CWE: 778
  • URL: Github

Description

DocDB logging should be enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: docdb.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
  name: example-cluster-autogen-password
spec:
  forProvider:
    autogeneratePassword: true
    availabilityZones:
      - us-east-1b
      - us-east-1c
    dbClusterParameterGroupName: example-parameter-group
    dbSubnetGroupName: example-subnet-group
    engine: docdb
    masterUserPasswordSecretRef:
      key: password
      name: my-docdb-creds
      namespace: crossplane-system
    masterUsername: master
    region: us-east-1
    skipFinalSnapshot: true
    tags:
      - key: cluster
        value: my-cluster
    vpcSecurityGroupIDsRefs:
      - name: sample-cluster-sg
  providerConfigRef:
    name: example
Positive test num. 2 - yaml file
apiVersion: docdb.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
  name: example-cluster-autogen-password
spec:
  forProvider:
    autogeneratePassword: true
    availabilityZones:
      - us-east-1b
      - us-east-1c
    dbClusterParameterGroupName: example-parameter-group
    dbSubnetGroupName: example-subnet-group
    engine: docdb
    masterUserPasswordSecretRef:
      key: password
      name: my-docdb-creds
      namespace: crossplane-system
    masterUsername: master
    region: us-east-1
    skipFinalSnapshot: true
    tags:
      - key: cluster
        value: my-cluster
    vpcSecurityGroupIDsRefs:
      - name: sample-cluster-sg
    enableCloudwatchLogsExports: []
  providerConfigRef:
    name: example
Positive test num. 3 - yaml file
apiVersion: docdb.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
  name: example-cluster-autogen-password
spec:
  forProvider:
    autogeneratePassword: true
    availabilityZones:
      - us-east-1b
      - us-east-1c
    dbClusterParameterGroupName: example-parameter-group
    dbSubnetGroupName: example-subnet-group
    engine: docdb
    masterUserPasswordSecretRef:
      key: password
      name: my-docdb-creds
      namespace: crossplane-system
    masterUsername: master
    region: us-east-1
    skipFinalSnapshot: true
    tags:
      - key: cluster
        value: my-cluster
    vpcSecurityGroupIDsRefs:
      - name: sample-cluster-sg
    enableCloudwatchLogsExports:
      - audit
      - error
  providerConfigRef:
    name: example

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: docdb.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata:
  name: example-cluster-autogen-password
spec:
  forProvider:
    autogeneratePassword: true
    availabilityZones:
      - us-east-1b
      - us-east-1c
    dbClusterParameterGroupName: example-parameter-group
    dbSubnetGroupName: example-subnet-group
    engine: docdb
    masterUserPasswordSecretRef:
      key: password
      name: my-docdb-creds
      namespace: crossplane-system
    masterUsername: master
    region: us-east-1
    skipFinalSnapshot: true
    tags:
      - key: cluster
        value: my-cluster
    vpcSecurityGroupIDsRefs:
      - name: sample-cluster-sg
    enableCloudwatchLogsExports:
      - audit
      - profiler
  providerConfigRef:
    name: example