Postgres RDS logging disabled

  • Query id: 820882c4-0c07-4686-b1ca-c69241c57470
  • Query name: Postgres RDS logging disabled
  • Platform: Terraform
  • Severity: Low
  • Category: Observability
  • CWE: 778
  • Risk score: 1.0
  • URL: Github

Description

Logging of executed database queries should be enabled to help assess performance impact and detect potential malicious activity.Note that these logs might contain password information and other credentials if provided in cleartext. More Information: https://repost.aws/knowledge-center/rds-postgresql-cleartext-logging
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_db_parameter_group" "postgres_logging" {
  name   = "postgres-logging"
  family = "postgres14"
  parameter {
    name  = "log_statement"
    value = "not_all"
  }
  parameter {
    name  = "log_min_duration_statement"
    value = "not_1"
  }
}
Positive test num. 2 - tf file
resource "aws_db_parameter_group" "postgres_logging" {
  name   = "postgres-logging"
  family = "postgres14"
  parameter {
    name  = "log_statement"
    value = "not_all"
  }

  parameter {
    name  = "log_min_duration_statement"
    value = "1"
  }
}
Positive test num. 3 - tf file
resource "aws_db_parameter_group" "postgres_logging" {
  name   = "postgres-logging"
  family = "postgres14"
  parameter {
    name  = "log_statement"
    value = "all"
  }
  parameter {
    name  = "log_min_duration_statement"
    value = "not_1"
  }
}

Positive test num. 4 - tf file 
resource "aws_db_parameter_group" "postgres_logging" {
  name   = "postgres-logging"
  family = "postgres14"
}
Positive test num. 5 - tf file 
resource "aws_db_parameter_group" "example" {
  name   = "postgres-logging"
  family = "postgres14"

  parameter {
    name = "log_statement"
    value = "all"
  }
}
Positive test num. 6 - tf file 
resource "aws_db_parameter_group" "example" {
  name   = "postgres-logging"
  family = "postgres14"

  parameter {
    name = "log_min_duration_statement"
    value = "1"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_db_parameter_group" "postgres_logging" {
  name   = "postgres-logging"
  family = "postgres14"
  parameter {
    name  = "log_statement"
    value = "all"
  }
  parameter {
    name  = "log_min_duration_statement"
    value = "1"
  }
}