Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckBackupRetentionSpecified = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0077", Provider: provider.AWSProvider, Service: "rds", ShortCode: "specify-backup-retention", Summary: "RDS Cluster and RDS instance should have backup retention longer than default 1 day", Impact: "Potential loss of data and short opportunity for recovery", Resolution: "Explicitly set the retention period to greater than the default", Explanation: `RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk.`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention", }, Severity: severity.Medium, }, func(s *state.State) (results rules.Results) { for _, cluster := range s.AWS.RDS.Clusters { if !cluster.ReplicationSourceARN.IsEmpty() { continue } if !cluster.IsManaged() { continue } if cluster.BackupRetentionPeriodDays.LessThan(2) { results.Add( "Cluster has very low backup retention period.", &cluster, cluster.BackupRetentionPeriodDays, ) } else { results.AddPassed(&cluster) } } for _, instance := range s.AWS.RDS.Instances { if !instance.IsManaged() { continue } if instance.BackupRetentionPeriodDays.LessThan(2) { results.Add( "Instance has very low backup retention period.", &instance, instance.BackupRetentionPeriodDays, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEnablePerformanceInsights = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0078", Provider: provider.AWSProvider, Service: "rds", ShortCode: "enable-performance-insights", Summary: "Encryption for RDS Performance Insights should be enabled.", Impact: "Data can be read from the RDS Performance Insights if it is compromised", Resolution: "Enable encryption for RDS clusters and instances", Explanation: `When enabling Performance Insights on an RDS cluster or RDS DB Instance, and encryption key should be provided. The encryption key specified in ` + "`" + `performance_insights_kms_key_id` + "`" + ` references a KMS ARN`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.htm", }, Severity: severity.High, }, func(s *state.State) (results rules.Results) { for _, cluster := range s.AWS.RDS.Clusters { if !cluster.IsManaged() { continue } if cluster.PerformanceInsights.Enabled.IsFalse() { results.Add( "Cluster does not have performance insights enabled.", &cluster, cluster.PerformanceInsights.Enabled, ) } else if cluster.PerformanceInsights.KMSKeyID.IsEmpty() { results.Add( "Cluster has performance insights enabled without encryption.", &cluster, cluster.PerformanceInsights.KMSKeyID, ) } else { results.AddPassed(&cluster) } } for _, instance := range s.AWS.RDS.Instances { if !instance.IsManaged() { continue } if instance.PerformanceInsights.Enabled.IsFalse() { results.Add( "Instance does not have performance insights enabled.", &instance, instance.PerformanceInsights.Enabled, ) } else if instance.PerformanceInsights.KMSKeyID.IsEmpty() { results.Add( "Instance has performance insights enabled without encryption.", &instance, instance.PerformanceInsights.KMSKeyID, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEncryptClusterStorageData = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0079", Provider: provider.AWSProvider, Service: "rds", ShortCode: "encrypt-cluster-storage-data", Summary: "There is no encryption specified or encryption is disabled on the RDS Cluster.", Impact: "Data can be read from the RDS cluster if it is compromised", Resolution: "Enable encryption for RDS clusters", Explanation: `Encryption should be enabled for an RDS Aurora cluster. When enabling encryption by setting the kms_key_id, the storage_encrypted must also be set to true.`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html", }, Severity: severity.High, }, func(s *state.State) (results rules.Results) { for _, cluster := range s.AWS.RDS.Clusters { if !cluster.IsManaged() { continue } if cluster.Encryption.EncryptStorage.IsFalse() { results.Add( "Cluster does not have storage encryption enabled.", &cluster, cluster.Encryption.EncryptStorage, ) } else if cluster.Encryption.KMSKeyID.IsEmpty() { results.Add( "Cluster does not specify a customer managed key for storage encryption.", &cluster, cluster.Encryption.KMSKeyID, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckEncryptInstanceStorageData = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0080", Provider: provider.AWSProvider, Service: "rds", ShortCode: "encrypt-instance-storage-data", Summary: "RDS encryption has not been enabled at a DB Instance level.", Impact: "Data can be read from RDS instances if compromised", Resolution: "Enable encryption for RDS instances", Explanation: `Encryption should be enabled for an RDS Database instances. When enabling encryption by setting the kms_key_id.`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html", }, Severity: severity.High, }, func(s *state.State) (results rules.Results) { for _, instance := range s.AWS.RDS.Instances { if !instance.ReplicationSourceARN.IsEmpty() { continue } if instance.Encryption.EncryptStorage.IsFalse() { results.Add( "Instance does not have storage encryption enabled.", &instance, instance.Encryption.EncryptStorage, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoClassicResources = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0081", Provider: provider.AWSProvider, Service: "rds", ShortCode: "no-classic-resources", Summary: "AWS Classic resource usage.", Impact: "Classic resources are running in a shared environment with other customers", Resolution: "Switch to VPC resources", Explanation: `AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run resources in a VPC instead.`, Links: []string{ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-classic-platform.html", }, Severity: severity.Critical, }, func(s *state.State) (results rules.Results) { for _, group := range s.AWS.RDS.Classic.DBSecurityGroups { results.Add( "Classic resources should not be used.", &group, ) } return }, )
View Source
var CheckNoPublicDbAccess = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0082", Provider: provider.AWSProvider, Service: "rds", ShortCode: "no-public-db-access", Summary: "A database resource is marked as publicly accessible.", Impact: "The database instance is publicly accessible", Resolution: "Set the database to not be publicly accessible", Explanation: `Database resources should not publicly available. You should limit all access to the minimum that is required for your application to function.`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding", }, Severity: severity.Critical, }, func(s *state.State) (results rules.Results) { for _, cluster := range s.AWS.RDS.Clusters { for _, instance := range cluster.Instances { if instance.PublicAccess.IsTrue() { results.Add( "Cluster instance is exposed publicly.", &instance, instance.PublicAccess, ) } else { results.AddPassed(&instance) } } } for _, instance := range s.AWS.RDS.Instances { if instance.PublicAccess.IsTrue() { results.Add( "Instance is exposed publicly.", &instance, instance.PublicAccess, ) } else { results.AddPassed(&instance) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.