RDS Associated with Public Subnet
- Query id: 2f737336-b18a-4602-8ea0-b200312e1ac1
- Query name: RDS Associated with Public Subnet
- Platform: Terraform
- Severity: Critical
- Category: Networking and Firewall
- CWE: 200
- URL: Github
Description¶
RDS should not run in public subnet
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_db_instance" "positive1" {
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
parameter_group_name = "positive1.mysql5.7"
skip_final_snapshot = true
db_subnet_group_name = aws_db_subnet_group.subnetGroup.name
}
resource "aws_db_subnet_group" "subnetGroup" {
name = "main"
subnet_ids = [aws_subnet.frontend.id, aws_subnet.backend.id]
tags = {
Name = "My DB subnet group"
}
}
resource "aws_subnet" "frontend" {
vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
cidr_block = "172.2.0.0/24"
}
resource "aws_subnet" "backend" {
vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
cidr_block = "0.0.0.0/0"
}
Positive test num. 2 - tf file
resource "aws_db_instance" "positive2" {
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
parameter_group_name = "positive2.mysql5.7"
skip_final_snapshot = true
db_subnet_group_name = "subnetGroup2"
}
resource "aws_db_subnet_group" "subnetGroup2" {
name = "main"
subnet_ids = [aws_subnet.frontend2.id, aws_subnet.backend2.id]
tags = {
Name = "My DB subnet group"
}
}
resource "aws_subnet" "frontend2" {
vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
cidr_block = "172.2.0.0/24"
}
resource "aws_subnet" "backend2" {
vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
cidr_block = "0.0.0.0/0"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_db_instance" "negative1" {
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
parameter_group_name = "negative1.mysql5.7"
skip_final_snapshot = true
db_subnet_group_name = aws_db_subnet_group.subnetGroup3.name
}
resource "aws_db_subnet_group" "subnetGroup3" {
name = "main"
subnet_ids = [aws_subnet.frontend3.id, aws_subnet.backend3.id]
tags = {
Name = "My DB subnet group"
}
}
resource "aws_subnet" "frontend3" {
vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
cidr_block = "172.2.0.0/24"
}
resource "aws_subnet" "backend3" {
vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr2.vpc_id
cidr_block = "176.2.0.0/24"
}