rds

package
v0.49.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 3, 2022 License: MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var CheckBackupRetentionSpecified = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0077",
		Provider:    providers.AWSProvider,
		Service:     "rds",
		ShortCode:   "specify-backup-retention",
		Summary:     "RDS Cluster and RDS instance should have backup retention longer than default 1 day",
		Impact:      "Potential loss of data and short opportunity for recovery",
		Resolution:  "Explicitly set the retention period to greater than the default",
		Explanation: `RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk.`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformSpecifyBackupRetentionGoodExamples,
			BadExamples:         terraformSpecifyBackupRetentionBadExamples,
			Links:               terraformSpecifyBackupRetentionLinks,
			RemediationMarkdown: terraformSpecifyBackupRetentionRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationSpecifyBackupRetentionGoodExamples,
			BadExamples:         cloudFormationSpecifyBackupRetentionBadExamples,
			Links:               cloudFormationSpecifyBackupRetentionLinks,
			RemediationMarkdown: cloudFormationSpecifyBackupRetentionRemediationMarkdown,
		},
		Severity: severity.Medium,
	},
	func(s *state.State) (results scan.Results) {
		for _, cluster := range s.AWS.RDS.Clusters {

			if cluster.IsUnmanaged() {
				continue
			}
			if !cluster.ReplicationSourceARN.IsEmpty() {
				continue
			}
			if cluster.BackupRetentionPeriodDays.LessThan(2) {
				results.Add(
					"Cluster has very low backup retention period.",
					cluster.BackupRetentionPeriodDays,
				)
			} else {
				results.AddPassed(&cluster)
			}
		}
		for _, instance := range s.AWS.RDS.Instances {
			if instance.IsUnmanaged() {
				continue
			}
			if !instance.ReplicationSourceARN.IsEmpty() {
				continue
			}
			if instance.BackupRetentionPeriodDays.LessThan(2) {
				results.Add(
					"Instance has very low backup retention period.",
					instance.BackupRetentionPeriodDays,
				)
			} else {
				results.AddPassed(&instance)
			}
		}

		return
	},
)
View Source
var CheckEnablePerformanceInsights = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0133",
		Provider:   providers.AWSProvider,
		Service:    "rds",
		ShortCode:  "enable-performance-insights",
		Summary:    "Enable Performance Insights to detect potential problems",
		Impact:     "Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.",
		Resolution: "Enable performance insights",
		Explanation: `Enabling Performance insights allows for greater depth in monitoring data.
		
For example, information about active sessions could help diagose a compromise or assist in the investigation`,
		Links: []string{
			"https://aws.amazon.com/rds/performance-insights/",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnablePerformanceInsightsGoodExamples,
			BadExamples:         terraformEnablePerformanceInsightsBadExamples,
			Links:               terraformEnablePerformanceInsightsLinks,
			RemediationMarkdown: terraformEnablePerformanceInsightsRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnablePerformanceInsightsGoodExamples,
			BadExamples:         cloudFormationEnablePerformanceInsightsBadExamples,
			Links:               cloudFormationEnablePerformanceInsightsLinks,
			RemediationMarkdown: cloudFormationEnablePerformanceInsightsRemediationMarkdown,
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results scan.Results) {
		for _, cluster := range s.AWS.RDS.Clusters {
			for _, instance := range cluster.Instances {
				if instance.IsUnmanaged() {
					continue
				}
				if instance.PerformanceInsights.Enabled.IsFalse() {
					results.Add(
						"Instance does not have performance insights enabled.",
						instance.PerformanceInsights.Enabled,
					)
				} else {
					results.AddPassed(&instance)
				}
			}
		}
		for _, instance := range s.AWS.RDS.Instances {
			if instance.IsUnmanaged() {
				continue
			}
			if instance.PerformanceInsights.Enabled.IsFalse() {
				results.Add(
					"Instance does not have performance insights enabled.",
					instance.PerformanceInsights.Enabled,
				)
			} else {
				results.AddPassed(&instance)
			}
		}

		return
	},
)
View Source
var CheckEnablePerformanceInsightsEncryption = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0078",
		Provider:   providers.AWSProvider,
		Service:    "rds",
		ShortCode:  "enable-performance-insights-encryption",
		Summary:    "Encryption for RDS Performance Insights should be enabled.",
		Impact:     "Data can be read from the RDS Performance Insights if it is compromised",
		Resolution: "Enable encryption for RDS clusters and instances",
		Explanation: `When enabling Performance Insights on an RDS cluster or RDS DB Instance, and encryption key should be provided.

The encryption key specified in ` + "`" + `performance_insights_kms_key_id` + "`" + ` references a KMS ARN`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.htm",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnablePerformanceInsightsEncryptionGoodExamples,
			BadExamples:         terraformEnablePerformanceInsightsEncryptionBadExamples,
			Links:               terraformEnablePerformanceInsightsEncryptionLinks,
			RemediationMarkdown: terraformEnablePerformanceInsightsEncryptionRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnablePerformanceInsightsEncryptionGoodExamples,
			BadExamples:         cloudFormationEnablePerformanceInsightsEncryptionBadExamples,
			Links:               cloudFormationEnablePerformanceInsightsEncryptionLinks,
			RemediationMarkdown: cloudFormationEnablePerformanceInsightsEncryptionRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, cluster := range s.AWS.RDS.Clusters {
			for _, instance := range cluster.Instances {
				if instance.IsUnmanaged() {
					continue
				}
				if instance.PerformanceInsights.Enabled.IsFalse() {
					continue
				} else if instance.PerformanceInsights.KMSKeyID.IsEmpty() {
					results.Add(
						"Instance has performance insights enabled without encryption.",
						instance.PerformanceInsights.KMSKeyID,
					)
				} else {
					results.AddPassed(&instance)
				}
			}
		}
		for _, instance := range s.AWS.RDS.Instances {
			if instance.IsUnmanaged() {
				continue
			}
			if instance.PerformanceInsights.Enabled.IsFalse() {
				continue
			} else if instance.PerformanceInsights.KMSKeyID.IsEmpty() {
				results.Add(
					"Instance has performance insights enabled without encryption.",
					instance.PerformanceInsights.KMSKeyID,
				)
			} else {
				results.AddPassed(&instance)
			}
		}

		return
	},
)
View Source
var CheckEncryptClusterStorageData = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0079",
		Provider:   providers.AWSProvider,
		Service:    "rds",
		ShortCode:  "encrypt-cluster-storage-data",
		Summary:    "There is no encryption specified or encryption is disabled on the RDS Cluster.",
		Impact:     "Data can be read from the RDS cluster if it is compromised",
		Resolution: "Enable encryption for RDS clusters",
		Explanation: `Encryption should be enabled for an RDS Aurora cluster. 

When enabling encryption by setting the kms_key_id, the storage_encrypted must also be set to true.`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEncryptClusterStorageDataGoodExamples,
			BadExamples:         terraformEncryptClusterStorageDataBadExamples,
			Links:               terraformEncryptClusterStorageDataLinks,
			RemediationMarkdown: terraformEncryptClusterStorageDataRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEncryptClusterStorageDataGoodExamples,
			BadExamples:         cloudFormationEncryptClusterStorageDataBadExamples,
			Links:               cloudFormationEncryptClusterStorageDataLinks,
			RemediationMarkdown: cloudFormationEncryptClusterStorageDataRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, cluster := range s.AWS.RDS.Clusters {
			if cluster.IsUnmanaged() {
				continue
			}
			if cluster.Encryption.EncryptStorage.IsFalse() {
				results.Add(
					"Cluster does not have storage encryption enabled.",
					cluster.Encryption.EncryptStorage,
				)
			} else if cluster.Encryption.KMSKeyID.IsEmpty() {
				results.Add(
					"Cluster does not specify a customer managed key for storage encryption.",
					cluster.Encryption.KMSKeyID,
				)
			} else {
				results.AddPassed(&cluster)
			}
		}
		return
	},
)
View Source
var CheckEncryptInstanceStorageData = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0080",
		Provider:   providers.AWSProvider,
		Service:    "rds",
		ShortCode:  "encrypt-instance-storage-data",
		Summary:    "RDS encryption has not been enabled at a DB Instance level.",
		Impact:     "Data can be read from RDS instances if compromised",
		Resolution: "Enable encryption for RDS instances",
		Explanation: `Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEncryptInstanceStorageDataGoodExamples,
			BadExamples:         terraformEncryptInstanceStorageDataBadExamples,
			Links:               terraformEncryptInstanceStorageDataLinks,
			RemediationMarkdown: terraformEncryptInstanceStorageDataRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEncryptInstanceStorageDataGoodExamples,
			BadExamples:         cloudFormationEncryptInstanceStorageDataBadExamples,
			Links:               cloudFormationEncryptInstanceStorageDataLinks,
			RemediationMarkdown: cloudFormationEncryptInstanceStorageDataRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, instance := range s.AWS.RDS.Instances {
			if !instance.ReplicationSourceARN.IsEmpty() {
				continue
			}
			if instance.Encryption.EncryptStorage.IsFalse() {
				results.Add(
					"Instance does not have storage encryption enabled.",
					instance.Encryption.EncryptStorage,
				)
			} else {
				results.AddPassed(&instance)
			}
		}
		return
	},
)
View Source
var CheckNoClassicResources = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0081",
		Provider:   providers.AWSProvider,
		Service:    "rds",
		ShortCode:  "no-classic-resources",
		Summary:    "AWS Classic resource usage.",
		Impact:     "Classic resources are running in a shared environment with other customers",
		Resolution: "Switch to VPC resources",
		Explanation: `AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run
resources in a VPC instead.`,
		Links: []string{
			"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-classic-platform.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoClassicResourcesGoodExamples,
			BadExamples:         terraformNoClassicResourcesBadExamples,
			Links:               terraformNoClassicResourcesLinks,
			RemediationMarkdown: terraformNoClassicResourcesRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationNoClassicResourcesGoodExamples,
			BadExamples:         cloudFormationNoClassicResourcesBadExamples,
			Links:               cloudFormationNoClassicResourcesLinks,
			RemediationMarkdown: cloudFormationNoClassicResourcesRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, group := range s.AWS.RDS.Classic.DBSecurityGroups {
			results.Add(
				"Classic resources should not be used.",
				&group,
			)
		}
		return
	},
)
View Source
var CheckNoPublicDbAccess = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0082",
		Provider:    providers.AWSProvider,
		Service:     "rds",
		ShortCode:   "no-public-db-access",
		Summary:     "A database resource is marked as publicly accessible.",
		Impact:      "The database instance is publicly accessible",
		Resolution:  "Set the database to not be publicly accessible",
		Explanation: `Database resources should not publicly available. You should limit all access to the minimum that is required for your application to function.`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoPublicDbAccessGoodExamples,
			BadExamples:         terraformNoPublicDbAccessBadExamples,
			Links:               terraformNoPublicDbAccessLinks,
			RemediationMarkdown: terraformNoPublicDbAccessRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationNoPublicDbAccessGoodExamples,
			BadExamples:         cloudFormationNoPublicDbAccessBadExamples,
			Links:               cloudFormationNoPublicDbAccessLinks,
			RemediationMarkdown: cloudFormationNoPublicDbAccessRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, cluster := range s.AWS.RDS.Clusters {
			for _, instance := range cluster.Instances {
				if instance.PublicAccess.IsTrue() {
					results.Add(
						"Cluster instance is exposed publicly.",
						instance.PublicAccess,
					)
				} else {
					results.AddPassed(&instance)
				}
			}
		}
		for _, instance := range s.AWS.RDS.Instances {
			if instance.PublicAccess.IsTrue() {
				results.Add(
					"Instance is exposed publicly.",
					instance.PublicAccess,
				)
			} else {
				results.AddPassed(&instance)
			}
		}
		return
	},
)

Functions

This section is empty.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL