IAM Database Auth Not Enabled
- Query id: 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6
- Query name: IAM Database Auth Not Enabled
- Platform: Terraform
- Severity: Medium
- Category: Encryption
- CWE: 285
- URL: Github
Description¶
IAM Database Auth Enabled should be configured to true when using compatible engine and version
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_db_instance" "positive1" {
allocated_storage = 20
storage_type = "gp2"
engine = "mysql"
engine_version = "8.0"
instance_class = "db.t2.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
iam_database_authentication_enabled = false
}
Positive test num. 2 - tf file
resource "aws_db_instance" "positive1" {
allocated_storage = 20
storage_type = "gp2"
engine = "mysql"
engine_version = "8.0"
instance_class = "db.t2.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
}
Positive test num. 3 - tf file
module "db" {
source = "terraform-aws-modules/rds/aws"
version = "~> 3.0"
identifier = "demodb"
engine = "mysql"
engine_version = "8.0"
instance_class = "db.t2.large"
allocated_storage = 5
name = "demodb"
username = "user"
password = "YourPwdShouldBeLongAndSecure!"
port = "3306"
vpc_security_group_ids = ["sg-12345678"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
# Enhanced Monitoring - see example for details on how to create the role
# by yourself, in case you don't want to create it automatically
monitoring_interval = "30"
monitoring_role_name = "MyRDSMonitoringRole"
create_monitoring_role = true
tags = {
Owner = "user"
Environment = "dev"
}
# DB subnet group
subnet_ids = ["subnet-12345678", "subnet-87654321"]
# DB parameter group
family = "mysql5.7"
# DB option group
major_engine_version = "5.7"
# Database Deletion Protection
deletion_protection = true
parameters = [
{
name = "character_set_client"
value = "utf8mb4"
},
{
name = "character_set_server"
value = "utf8mb4"
}
]
options = [
{
option_name = "MARIADB_AUDIT_PLUGIN"
option_settings = [
{
name = "SERVER_AUDIT_EVENTS"
value = "CONNECT"
},
{
name = "SERVER_AUDIT_FILE_ROTATIONS"
value = "37"
},
]
},
]
}
Positive test num. 4 - tf file
module "db" {
source = "terraform-aws-modules/rds/aws"
version = "~> 3.0"
identifier = "demodb"
engine = "mysql"
engine_version = "8.0.28"
instance_class = "db.t2.large"
allocated_storage = 5
name = "demodb"
username = "user"
password = "YourPwdShouldBeLongAndSecure!"
port = "3306"
iam_database_authentication_enabled = false
vpc_security_group_ids = ["sg-12345678"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
# Enhanced Monitoring - see example for details on how to create the role
# by yourself, in case you don't want to create it automatically
monitoring_interval = "30"
monitoring_role_name = "MyRDSMonitoringRole"
create_monitoring_role = true
tags = {
Owner = "user"
Environment = "dev"
}
# DB subnet group
subnet_ids = ["subnet-12345678", "subnet-87654321"]
# DB parameter group
family = "mysql5.7"
# DB option group
major_engine_version = "5.7"
# Database Deletion Protection
deletion_protection = true
parameters = [
{
name = "character_set_client"
value = "utf8mb4"
},
{
name = "character_set_server"
value = "utf8mb4"
}
]
options = [
{
option_name = "MARIADB_AUDIT_PLUGIN"
option_settings = [
{
name = "SERVER_AUDIT_EVENTS"
value = "CONNECT"
},
{
name = "SERVER_AUDIT_FILE_ROTATIONS"
value = "37"
},
]
},
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_db_instance" "negative1" {
allocated_storage = 20
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
name = "mydb"
username = "foo"
password = "foobarbaz"
iam_database_authentication_enabled = true
}
Negative test num. 2 - tf file
module "db" {
source = "terraform-aws-modules/rds/aws"
version = "~> 3.0"
identifier = "demodb"
engine = "mysql"
engine_version = "5.7.19"
instance_class = "db.t2.large"
allocated_storage = 5
name = "demodb"
username = "user"
password = "YourPwdShouldBeLongAndSecure!"
port = "3306"
iam_database_authentication_enabled = true
vpc_security_group_ids = ["sg-12345678"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
# Enhanced Monitoring - see example for details on how to create the role
# by yourself, in case you don't want to create it automatically
monitoring_interval = "30"
monitoring_role_name = "MyRDSMonitoringRole"
create_monitoring_role = true
tags = {
Owner = "user"
Environment = "dev"
}
# DB subnet group
subnet_ids = ["subnet-12345678", "subnet-87654321"]
# DB parameter group
family = "mysql5.7"
# DB option group
major_engine_version = "5.7"
# Database Deletion Protection
deletion_protection = true
parameters = [
{
name = "character_set_client"
value = "utf8mb4"
},
{
name = "character_set_server"
value = "utf8mb4"
}
]
options = [
{
option_name = "MARIADB_AUDIT_PLUGIN"
option_settings = [
{
name = "SERVER_AUDIT_EVENTS"
value = "CONNECT"
},
{
name = "SERVER_AUDIT_FILE_ROTATIONS"
value = "37"
},
]
},
]
}
Negative test num. 3 - tf file
module "db" {
source = "terraform-aws-modules/rds/aws"
version = "~> 3.0"
identifier = "demodb"
engine = "aurora"
engine_version = "11.10"
instance_class = "db.t2.small"
allocated_storage = 5
name = "demodb"
username = "user"
port = "3306"
vpc_security_group_ids = ["sg-12345678"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
# Enhanced Monitoring - see example for details on how to create the role
# by yourself, in case you don't want to create it automatically
monitoring_interval = "30"
monitoring_role_name = "MyRDSMonitoringRole"
create_monitoring_role = true
tags = {
Owner = "user"
Environment = "dev"
}
}