DOCDB Cluster Without KMS

• Query id: 4766d3ea-241c-4ee6-93ff-c380c996bd1a
• Query name: DOCDB Cluster Without KMS
• Platform: Terraform
• Severity: High
• Category: Encryption
• URL: Github

Description

AWS DOCDB Cluster should be encrypted with a KMS encryption key
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_docdb_cluster" "docdb" {
  cluster_identifier      = "my-docdb-cluster"
  engine                  = "docdb"
  master_username         = "foo"
  master_password         = "mustbeeightchars"
  backup_retention_period = 5
  preferred_backup_window = "07:00-09:00"
  skip_final_snapshot     = true
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_docdb_cluster" "docdb" {
  cluster_identifier      = "my-docdb-cluster"
  engine                  = "docdb"
  master_username         = "foo"
  master_password         = "mustbeeightchars"
  backup_retention_period = 5
  preferred_backup_window = "07:00-09:00"
  skip_final_snapshot     = true
  storage_encrypted = true
  kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}