DOCDB Cluster Without KMS
- Query id: 4766d3ea-241c-4ee6-93ff-c380c996bd1a
- Query name: DOCDB Cluster Without KMS
- Platform: Terraform
- Severity: High
- Category: Encryption
- CWE: 326
- URL: Github
Description¶
AWS DOCDB Cluster should be encrypted with a KMS encryption key
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_docdb_cluster" "docdb" {
cluster_identifier = "my-docdb-cluster"
engine = "docdb"
master_username = "foo"
master_password = "mustbeeightchars"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
skip_final_snapshot = true
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_docdb_cluster" "docdb" {
cluster_identifier = "my-docdb-cluster"
engine = "docdb"
master_username = "foo"
master_password = "mustbeeightchars"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
skip_final_snapshot = true
storage_encrypted = true
kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}