RDS Storage Not Encrypted
- Query id: 3199c26c-7871-4cb3-99c2-10a59244ce7f
- Query name: RDS Storage Not Encrypted
- Platform: Terraform
- Severity: High
- Category: Encryption
- CWE: 311
- URL: Github
Description¶
RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_rds_cluster" "positive1" {
cluster_identifier = "aurora-cluster-demo"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
database_name = "mydb"
master_username = "foo"
master_password = "bar"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
}
Positive test num. 2 - tf file
resource "aws_rds_cluster" "positive3" {
cluster_identifier = "cloudrail-test-non-encrypted"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
database_name = "cloudrail"
master_username = "administrator"
master_password = "cloudrail-TEST-password"
skip_final_snapshot = true
storage_encrypted = false
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_rds_cluster" "negative1" {
cluster_identifier = "cloudrail-test-non-encrypted"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
database_name = "cloudrail"
master_username = "administrator"
master_password = "cloudrail-TEST-password"
skip_final_snapshot = true
storage_encrypted = true
}
Negative test num. 2 - tf file
resource "aws_rds_cluster" "negative2" {
cluster_identifier = "cloudrail-test-non-encrypted"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
engine_mode = "serverless"
availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
database_name = "cloudrail"
master_username = "administrator"
master_password = "cloudrail-TEST-password"
skip_final_snapshot = true
}