DOCDB Cluster Encrypted With AWS Managed Key

  • Query id: 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d
  • Query name: DOCDB Cluster Encrypted With AWS Managed Key
  • Platform: Terraform
  • Severity: Medium
  • Category: Encryption
  • URL: Github

Description

DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
provider "aws" {
  region = "us-east-1"
}

data "aws_kms_key" "test" {
  key_id = "alias/aws/rds"
}

resource "aws_docdb_cluster" "test2" {
  cluster_identifier  = "my-docdb-cluster-test2"
  engine              = "docdb"
  master_username     = "foo"
  master_password     = "mustbeeightchars"
  skip_final_snapshot = true
  storage_encrypted   = true
  kms_key_id          = data.aws_kms_key.test.arn
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
provider "aws" {
  region = "us-east-1"
}

data "aws_kms_key" "test2" {
  key_id = "alias/myAlias"
}

resource "aws_docdb_cluster" "test22" {
  cluster_identifier  = "my-docdb-cluster-test2"
  engine              = "docdb"
  master_username     = "foo"
  master_password     = "mustbeeightchars"
  skip_final_snapshot = true
  storage_encrypted   = true
  kms_key_id          = data.aws_kms_key.test2.arn
}