RDS Storage Not Encrypted

  • Query id: 3199c26c-7871-4cb3-99c2-10a59244ce7f
  • Query name: RDS Storage Not Encrypted
  • Platform: Terraform
  • Severity: High
  • Category: Encryption
  • CWE: 311
  • URL: Github

Description

RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_rds_cluster" "positive1" {
  cluster_identifier      = "aurora-cluster-demo"
  engine                  = "aurora-mysql"
  engine_version          = "5.7.mysql_aurora.2.03.2"
  availability_zones      = ["us-west-2a", "us-west-2b", "us-west-2c"]
  database_name           = "mydb"
  master_username         = "foo"
  master_password         = "bar"
  backup_retention_period = 5
  preferred_backup_window = "07:00-09:00"
}
Positive test num. 2 - tf file
resource "aws_rds_cluster" "positive3" {
  cluster_identifier  = "cloudrail-test-non-encrypted"
  engine              = "aurora-mysql"
  engine_version      = "5.7.mysql_aurora.2.03.2"
  availability_zones  = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
  database_name       = "cloudrail"
  master_username     = "administrator"
  master_password     = "cloudrail-TEST-password"
  skip_final_snapshot = true
  storage_encrypted   = false
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_rds_cluster" "negative1" {
  cluster_identifier  = "cloudrail-test-non-encrypted"
  engine              = "aurora-mysql"
  engine_version      = "5.7.mysql_aurora.2.03.2"
  availability_zones  = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
  database_name       = "cloudrail"
  master_username     = "administrator"
  master_password     = "cloudrail-TEST-password"
  skip_final_snapshot = true
  storage_encrypted   = true
}
Negative test num. 2 - tf file
resource "aws_rds_cluster" "negative2" {
  cluster_identifier  = "cloudrail-test-non-encrypted"
  engine              = "aurora-mysql"
  engine_version      = "5.7.mysql_aurora.2.03.2"
  engine_mode         = "serverless"
  availability_zones  = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
  database_name       = "cloudrail"
  master_username     = "administrator"
  master_password     = "cloudrail-TEST-password"
  skip_final_snapshot = true
}