RDS Without Logging
- Query id: 8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56
- Query name: RDS Without Logging
- Platform: Terraform
- Severity: Medium
- Category: Observability
- URL: Github
Description¶
RDS does not have any kind of logger
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_db_instance" "positive1" {
allocated_storage = 5
engine = "postgres"
instance_class = "db.t3.small"
password = "admin"
username = "admin"
}
Positive test num. 2 - tf file
resource "aws_db_instance" "positive2" {
allocated_storage = 5
engine = "postgres"
instance_class = "db.t3.small"
password = "admin"
username = "admin"
enabled_cloudwatch_logs_exports = []
}
Positive test num. 3 - tf file
module "db" {
source = "terraform-aws-modules/rds/aws"
version = "~> 3.0"
identifier = "demodb"
engine = "mysql"
engine_version = "5.7.19"
instance_class = "db.t2.large"
allocated_storage = 5
name = "demodb"
username = "user"
password = "YourPwdShouldBeLongAndSecure!"
port = "3306"
iam_database_authentication_enabled = true
vpc_security_group_ids = ["sg-12345678"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
# Enhanced Monitoring - see example for details on how to create the role
# by yourself, in case you don't want to create it automatically
monitoring_interval = "30"
monitoring_role_name = "MyRDSMonitoringRole"
create_monitoring_role = true
tags = {
Owner = "user"
Environment = "dev"
}
# DB subnet group
subnet_ids = ["subnet-12345678", "subnet-87654321"]
# DB parameter group
family = "mysql5.7"
# DB option group
major_engine_version = "5.7"
# Database Deletion Protection
deletion_protection = true
parameters = [
{
name = "character_set_client"
value = "utf8mb4"
},
{
name = "character_set_server"
value = "utf8mb4"
}
]
options = [
{
option_name = "MARIADB_AUDIT_PLUGIN"
option_settings = [
{
name = "SERVER_AUDIT_EVENTS"
value = "CONNECT"
},
{
name = "SERVER_AUDIT_FILE_ROTATIONS"
value = "37"
},
]
},
]
}
Positive test num. 4 - tf file
module "db" {
source = "terraform-aws-modules/rds/aws"
version = "~> 3.0"
identifier = "demodb"
engine = "mysql"
engine_version = "5.7.19"
instance_class = "db.t2.large"
allocated_storage = 5
enabled_cloudwatch_logs_exports = []
name = "demodb"
username = "user"
password = "YourPwdShouldBeLongAndSecure!"
port = "3306"
iam_database_authentication_enabled = true
vpc_security_group_ids = ["sg-12345678"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
# Enhanced Monitoring - see example for details on how to create the role
# by yourself, in case you don't want to create it automatically
monitoring_interval = "30"
monitoring_role_name = "MyRDSMonitoringRole"
create_monitoring_role = true
tags = {
Owner = "user"
Environment = "dev"
}
# DB subnet group
subnet_ids = ["subnet-12345678", "subnet-87654321"]
# DB parameter group
family = "mysql5.7"
# DB option group
major_engine_version = "5.7"
# Database Deletion Protection
deletion_protection = true
parameters = [
{
name = "character_set_client"
value = "utf8mb4"
},
{
name = "character_set_server"
value = "utf8mb4"
}
]
options = [
{
option_name = "MARIADB_AUDIT_PLUGIN"
option_settings = [
{
name = "SERVER_AUDIT_EVENTS"
value = "CONNECT"
},
{
name = "SERVER_AUDIT_FILE_ROTATIONS"
value = "37"
},
]
},
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_db_instance" "negative1" {
allocated_storage = 5
engine = "postgres"
instance_class = "db.t3.small"
password = "admin"
username = "admin"
enabled_cloudwatch_logs_exports = ["upgrade"]
}
resource "aws_db_instance" "negative2" {
allocated_storage = 5
engine = "mariadb"
instance_class = "db.t3.small"
password = "admin"
username = "admin"
enabled_cloudwatch_logs_exports = ["general", "error"]
}
Negative test num. 2 - tf file
module "db" {
source = "terraform-aws-modules/rds/aws"
version = "~> 3.0"
identifier = "demodb"
engine = "mysql"
engine_version = "5.7.19"
instance_class = "db.t2.large"
allocated_storage = 5
enabled_cloudwatch_logs_exports = ["general", "error"]
name = "demodb"
username = "user"
password = "YourPwdShouldBeLongAndSecure!"
port = "3306"
iam_database_authentication_enabled = true
vpc_security_group_ids = ["sg-12345678"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
# Enhanced Monitoring - see example for details on how to create the role
# by yourself, in case you don't want to create it automatically
monitoring_interval = "30"
monitoring_role_name = "MyRDSMonitoringRole"
create_monitoring_role = true
tags = {
Owner = "user"
Environment = "dev"
}
# DB subnet group
subnet_ids = ["subnet-12345678", "subnet-87654321"]
# DB parameter group
family = "mysql5.7"
# DB option group
major_engine_version = "5.7"
# Database Deletion Protection
deletion_protection = true
parameters = [
{
name = "character_set_client"
value = "utf8mb4"
},
{
name = "character_set_server"
value = "utf8mb4"
}
]
options = [
{
option_name = "MARIADB_AUDIT_PLUGIN"
option_settings = [
{
name = "SERVER_AUDIT_EVENTS"
value = "CONNECT"
},
{
name = "SERVER_AUDIT_FILE_ROTATIONS"
value = "37"
},
]
},
]
}
Negative test num. 3 - tf file
module "db" {
source = "terraform-aws-modules/rds/aws"
version = "~> 3.0"
identifier = "demodb"
engine = "mysql"
engine_version = "5.7.19"
instance_class = "db.t2.large"
allocated_storage = 5
enabled_cloudwatch_logs_exports = ["upgrade"]
name = "demodb"
username = "user"
password = "YourPwdShouldBeLongAndSecure!"
port = "3306"
iam_database_authentication_enabled = true
vpc_security_group_ids = ["sg-12345678"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
# Enhanced Monitoring - see example for details on how to create the role
# by yourself, in case you don't want to create it automatically
monitoring_interval = "30"
monitoring_role_name = "MyRDSMonitoringRole"
create_monitoring_role = true
tags = {
Owner = "user"
Environment = "dev"
}
# DB subnet group
subnet_ids = ["subnet-12345678", "subnet-87654321"]
# DB parameter group
family = "mysql5.7"
# DB option group
major_engine_version = "5.7"
# Database Deletion Protection
deletion_protection = true
parameters = [
{
name = "character_set_client"
value = "utf8mb4"
},
{
name = "character_set_server"
value = "utf8mb4"
}
]
options = [
{
option_name = "MARIADB_AUDIT_PLUGIN"
option_settings = [
{
name = "SERVER_AUDIT_EVENTS"
value = "CONNECT"
},
{
name = "SERVER_AUDIT_FILE_ROTATIONS"
value = "37"
},
]
},
]
}