RDS DB Instance Publicly Accessible

  • Query id: 1b4565c0-4877-49ac-ab03-adebbccd42ae
  • Query name: RDS DB Instance Publicly Accessible
  • Platform: Terraform
  • Severity: Medium
  • Category: Insecure Configurations
  • CWE: 668
  • URL: Github

Description

'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "alicloud_db_instance" "default" {
    engine = "MySQL"
    engine_version = "5.6"
    db_instance_class = "rds.mysql.t1.small"
    db_instance_storage = "10"
    security_ips = [
        "0.0.0.0",
        "10.23.12.24/24"
        ]
    parameters = [{
        name = "innodb_large_prefix"
        value = "ON"
    },{
        name = "connect_timeout"
        value = "50"
    }]
}
Positive test num. 2 - tf file
resource "alicloud_db_instance" "default" {
    engine = "MySQL"
    engine_version = "5.6"
    db_instance_class = "rds.mysql.t1.small"
    db_instance_storage = "10"
    security_ips = [
        "0.0.0.0/0",
        "10.23.12.24/24"
        ]
    parameters = [{
        name = "innodb_large_prefix"
        value = "ON"
    },{
        name = "connect_timeout"
        value = "50"
    }]
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "alicloud_db_instance" "default" {
    engine = "MySQL"
    engine_version = "5.6"
    db_instance_class = "rds.mysql.t1.small"
    db_instance_storage = "10"
    security_ips = [
        "10.23.12.24"
        ]
    parameters = [{
        name = "innodb_large_prefix"
        value = "ON"
    },{
        name = "connect_timeout"
        value = "50"
    }]
}
Negative test num. 2 - tf file
resource "alicloud_db_instance" "default" {
    engine = "MySQL"
    engine_version = "5.6"
    db_instance_class = "rds.mysql.t1.small"
    db_instance_storage = "10"
    parameters = [{
        name = "innodb_large_prefix"
        value = "ON"
    },{
        name = "connect_timeout"
        value = "50"
    }]
}