RDS DB Instance Publicly Accessible
- Query id: 35113e6f-2c6b-414d-beec-7a9482d3b2d1
- Query name: RDS DB Instance Publicly Accessible
- Platform: Terraform
- Severity: Critical
- Category: Insecure Configurations
- CWE: 668
- URL: Github
Description¶
RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_db_instance" "positive1" {
allocated_storage = 20
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
publicly_accessible = true
}
Positive test num. 2 - tf file
module "db" {
source = "terraform-aws-modules/rds/aws"
version = "~> 3.0"
identifier = "demodb"
engine = "mysql"
engine_version = "5.7.19"
instance_class = "db.t2.large"
allocated_storage = 5
publicly_accessible = true
name = "demodb"
username = "user"
password = "YourPwdShouldBeLongAndSecure!"
port = "3306"
iam_database_authentication_enabled = true
vpc_security_group_ids = ["sg-12345678"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
# Enhanced Monitoring - see example for details on how to create the role
# by yourself, in case you don't want to create it automatically
monitoring_interval = "30"
monitoring_role_name = "MyRDSMonitoringRole"
create_monitoring_role = true
tags = {
Owner = "user"
Environment = "dev"
}
# DB subnet group
subnet_ids = ["subnet-12345678", "subnet-87654321"]
# DB parameter group
family = "mysql5.7"
# DB option group
major_engine_version = "5.7"
# Database Deletion Protection
deletion_protection = true
parameters = [
{
name = "character_set_client"
value = "utf8mb4"
},
{
name = "character_set_server"
value = "utf8mb4"
}
]
options = [
{
option_name = "MARIADB_AUDIT_PLUGIN"
option_settings = [
{
name = "SERVER_AUDIT_EVENTS"
value = "CONNECT"
},
{
name = "SERVER_AUDIT_FILE_ROTATIONS"
value = "37"
},
]
},
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_db_instance" "negative1" {
allocated_storage = 20
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
publicly_accessible = false
}
Negative test num. 2 - tf file
module "db" {
source = "terraform-aws-modules/rds/aws"
version = "~> 3.0"
identifier = "demodb"
engine = "mysql"
engine_version = "5.7.19"
instance_class = "db.t2.large"
allocated_storage = 5
publicly_accessible = false
name = "demodb"
username = "user"
password = "YourPwdShouldBeLongAndSecure!"
port = "3306"
iam_database_authentication_enabled = true
vpc_security_group_ids = ["sg-12345678"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
# Enhanced Monitoring - see example for details on how to create the role
# by yourself, in case you don't want to create it automatically
monitoring_interval = "30"
monitoring_role_name = "MyRDSMonitoringRole"
create_monitoring_role = true
tags = {
Owner = "user"
Environment = "dev"
}
# DB subnet group
subnet_ids = ["subnet-12345678", "subnet-87654321"]
# DB parameter group
family = "mysql5.7"
# DB option group
major_engine_version = "5.7"
# Database Deletion Protection
deletion_protection = true
parameters = [
{
name = "character_set_client"
value = "utf8mb4"
},
{
name = "character_set_server"
value = "utf8mb4"
}
]
options = [
{
option_name = "MARIADB_AUDIT_PLUGIN"
option_settings = [
{
name = "SERVER_AUDIT_EVENTS"
value = "CONNECT"
},
{
name = "SERVER_AUDIT_FILE_ROTATIONS"
value = "37"
},
]
},
]
}