RDS Associated with Public Subnet

  • Query id: 2f737336-b18a-4602-8ea0-b200312e1ac1
  • Query name: RDS Associated with Public Subnet
  • Platform: Terraform
  • Severity: High
  • Category: Networking and Firewall
  • URL: Github

Description

RDS should not run in public subnet
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_db_instance" "positive1" {
  allocated_storage    = 10
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "positive1.mysql5.7"
  skip_final_snapshot  = true
  db_subnet_group_name = aws_db_subnet_group.subnetGroup.name
}

resource "aws_db_subnet_group" "subnetGroup" {
  name       = "main"
  subnet_ids = [aws_subnet.frontend.id, aws_subnet.backend.id]

  tags = {
    Name = "My DB subnet group"
  }
}

resource "aws_subnet" "frontend" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
  cidr_block = "172.2.0.0/24"
}


resource "aws_subnet" "backend" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
  cidr_block = "0.0.0.0/0"
}
Positive test num. 2 - tf file
resource "aws_db_instance" "positive2" {
  allocated_storage    = 10
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "positive2.mysql5.7"
  skip_final_snapshot  = true
  db_subnet_group_name = "subnetGroup2"
}

resource "aws_db_subnet_group" "subnetGroup2" {
  name       = "main"
  subnet_ids = [aws_subnet.frontend2.id, aws_subnet.backend2.id]

  tags = {
    Name = "My DB subnet group"
  }
}

resource "aws_subnet" "frontend2" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
  cidr_block = "172.2.0.0/24"
}


resource "aws_subnet" "backend2" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
  cidr_block = "0.0.0.0/0"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_db_instance" "negative1" {
  allocated_storage    = 10
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "negative1.mysql5.7"
  skip_final_snapshot  = true
  db_subnet_group_name = aws_db_subnet_group.subnetGroup3.name
}

resource "aws_db_subnet_group" "subnetGroup3" {
  name       = "main"
  subnet_ids = [aws_subnet.frontend3.id, aws_subnet.backend3.id]

  tags = {
    Name = "My DB subnet group"
  }
}

resource "aws_subnet" "frontend3" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
  cidr_block = "172.2.0.0/24"
}


resource "aws_subnet" "backend3" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr2.vpc_id
  cidr_block = "176.2.0.0/24"
}