RDS DB Instance Publicly Accessible

Query id: 1b4565c0-4877-49ac-ab03-adebbccd42ae
Query name: RDS DB Instance Publicly Accessible
Platform: Terraform
Severity: Medium
Category: Insecure Configurations
CWE: 668
URL: Github

Description¶

'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - tf file

Positive test num. 2 - tf file

id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1">resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" db_instance_class = "rds.mysql.t1.small" db_instance_storage = "10" security_ips = [ class="w"> "0.0.0.0", "10.23.12.24/24" ] parameters = [{ name = "innodb_large_prefix" value = "ON" },{ name = "connect_timeout" value = "50" }] } id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1">resource "alicloud_db_instance" "default" { engine = "MySQL" engine_version = "5.6" db_instance_class = "rds.mysql.t1.small" db_instance_storage = "10" security_ips = [ class="w"> "0.0.0.0/0", "10.23.12.24/24" ] parameters = [{ name = "innodb_large_prefix" value = "ON" },{ name = "connect_timeout" value = "50" }] }

Code samples without security vulnerabilities¶

Negative test num. 1 - tf file

resource "alicloud_db_instance" "default" {
    engine = "MySQL"
    engine_version = "5.6"
    db_instance_class = "rds.mysql.t1.small"
    db_instance_storage = "10"
    security_ips = [
        "10.23.12.24"
        ]
    parameters = [{
        name = "innodb_large_prefix"
        value = "ON"
    },{
        name = "connect_timeout"
        value = "50"
    }]
}

Negative test num. 2 - tf file

resource "alicloud_db_instance" "default" {
    engine = "MySQL"
    engine_version = "5.6"
    db_instance_class = "rds.mysql.t1.small"
    db_instance_storage = "10"
    parameters = [{
        name = "innodb_large_prefix"
        value = "ON"
    },{
        name = "connect_timeout"
        value = "50"
    }]
}