Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckBackupRetentionSpecified = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0077", Provider: providers.AWSProvider, Service: "rds", ShortCode: "specify-backup-retention", Summary: "RDS Cluster and RDS instance should have backup retention longer than default 1 day", Impact: "Potential loss of data and short opportunity for recovery", Resolution: "Explicitly set the retention period to greater than the default", Explanation: `RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk.`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformSpecifyBackupRetentionGoodExamples, BadExamples: terraformSpecifyBackupRetentionBadExamples, Links: terraformSpecifyBackupRetentionLinks, RemediationMarkdown: terraformSpecifyBackupRetentionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationSpecifyBackupRetentionGoodExamples, BadExamples: cloudFormationSpecifyBackupRetentionBadExamples, Links: cloudFormationSpecifyBackupRetentionLinks, RemediationMarkdown: cloudFormationSpecifyBackupRetentionRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.RDS.Clusters { if cluster.IsUnmanaged() { continue } if !cluster.ReplicationSourceARN.IsEmpty() { continue } if cluster.BackupRetentionPeriodDays.LessThan(2) { results.Add( "Cluster has very low backup retention period.", cluster.BackupRetentionPeriodDays, ) } else { results.AddPassed(&cluster) } } for _, instance := range s.AWS.RDS.Instances { if instance.IsUnmanaged() { continue } if !instance.ReplicationSourceARN.IsEmpty() { continue } if instance.BackupRetentionPeriodDays.LessThan(2) { results.Add( "Instance has very low backup retention period.", instance.BackupRetentionPeriodDays, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEnablePerformanceInsights = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0133", Provider: providers.AWSProvider, Service: "rds", ShortCode: "enable-performance-insights", Summary: "Enable Performance Insights to detect potential problems", Impact: "Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.", Resolution: "Enable performance insights", Explanation: `Enabling Performance insights allows for greater depth in monitoring data. For example, information about active sessions could help diagose a compromise or assist in the investigation`, Links: []string{ "https://aws.amazon.com/rds/performance-insights/", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnablePerformanceInsightsGoodExamples, BadExamples: terraformEnablePerformanceInsightsBadExamples, Links: terraformEnablePerformanceInsightsLinks, RemediationMarkdown: terraformEnablePerformanceInsightsRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnablePerformanceInsightsGoodExamples, BadExamples: cloudFormationEnablePerformanceInsightsBadExamples, Links: cloudFormationEnablePerformanceInsightsLinks, RemediationMarkdown: cloudFormationEnablePerformanceInsightsRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.RDS.Clusters { for _, instance := range cluster.Instances { if instance.IsUnmanaged() { continue } if instance.PerformanceInsights.Enabled.IsFalse() { results.Add( "Instance does not have performance insights enabled.", instance.PerformanceInsights.Enabled, ) } else { results.AddPassed(&instance) } } } for _, instance := range s.AWS.RDS.Instances { if instance.IsUnmanaged() { continue } if instance.PerformanceInsights.Enabled.IsFalse() { results.Add( "Instance does not have performance insights enabled.", instance.PerformanceInsights.Enabled, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEnablePerformanceInsightsEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0078", Provider: providers.AWSProvider, Service: "rds", ShortCode: "enable-performance-insights-encryption", Summary: "Encryption for RDS Performance Insights should be enabled.", Impact: "Data can be read from the RDS Performance Insights if it is compromised", Resolution: "Enable encryption for RDS clusters and instances", Explanation: `When enabling Performance Insights on an RDS cluster or RDS DB Instance, and encryption key should be provided. The encryption key specified in ` + "`" + `performance_insights_kms_key_id` + "`" + ` references a KMS ARN`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.htm", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnablePerformanceInsightsEncryptionGoodExamples, BadExamples: terraformEnablePerformanceInsightsEncryptionBadExamples, Links: terraformEnablePerformanceInsightsEncryptionLinks, RemediationMarkdown: terraformEnablePerformanceInsightsEncryptionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnablePerformanceInsightsEncryptionGoodExamples, BadExamples: cloudFormationEnablePerformanceInsightsEncryptionBadExamples, Links: cloudFormationEnablePerformanceInsightsEncryptionLinks, RemediationMarkdown: cloudFormationEnablePerformanceInsightsEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.RDS.Clusters { for _, instance := range cluster.Instances { if instance.IsUnmanaged() { continue } if instance.PerformanceInsights.Enabled.IsFalse() { continue } else if instance.PerformanceInsights.KMSKeyID.IsEmpty() { results.Add( "Instance has performance insights enabled without encryption.", instance.PerformanceInsights.KMSKeyID, ) } else { results.AddPassed(&instance) } } } for _, instance := range s.AWS.RDS.Instances { if instance.IsUnmanaged() { continue } if instance.PerformanceInsights.Enabled.IsFalse() { continue } else if instance.PerformanceInsights.KMSKeyID.IsEmpty() { results.Add( "Instance has performance insights enabled without encryption.", instance.PerformanceInsights.KMSKeyID, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEncryptClusterStorageData = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0079", Provider: providers.AWSProvider, Service: "rds", ShortCode: "encrypt-cluster-storage-data", Summary: "There is no encryption specified or encryption is disabled on the RDS Cluster.", Impact: "Data can be read from the RDS cluster if it is compromised", Resolution: "Enable encryption for RDS clusters", Explanation: `Encryption should be enabled for an RDS Aurora cluster. When enabling encryption by setting the kms_key_id, the storage_encrypted must also be set to true.`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEncryptClusterStorageDataGoodExamples, BadExamples: terraformEncryptClusterStorageDataBadExamples, Links: terraformEncryptClusterStorageDataLinks, RemediationMarkdown: terraformEncryptClusterStorageDataRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEncryptClusterStorageDataGoodExamples, BadExamples: cloudFormationEncryptClusterStorageDataBadExamples, Links: cloudFormationEncryptClusterStorageDataLinks, RemediationMarkdown: cloudFormationEncryptClusterStorageDataRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.RDS.Clusters { if cluster.IsUnmanaged() { continue } if cluster.Encryption.EncryptStorage.IsFalse() { results.Add( "Cluster does not have storage encryption enabled.", cluster.Encryption.EncryptStorage, ) } else if cluster.Encryption.KMSKeyID.IsEmpty() { results.Add( "Cluster does not specify a customer managed key for storage encryption.", cluster.Encryption.KMSKeyID, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckEncryptInstanceStorageData = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0080", Provider: providers.AWSProvider, Service: "rds", ShortCode: "encrypt-instance-storage-data", Summary: "RDS encryption has not been enabled at a DB Instance level.", Impact: "Data can be read from RDS instances if compromised", Resolution: "Enable encryption for RDS instances", Explanation: `Encryption should be enabled for an RDS Database instances. When enabling encryption by setting the kms_key_id.`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEncryptInstanceStorageDataGoodExamples, BadExamples: terraformEncryptInstanceStorageDataBadExamples, Links: terraformEncryptInstanceStorageDataLinks, RemediationMarkdown: terraformEncryptInstanceStorageDataRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEncryptInstanceStorageDataGoodExamples, BadExamples: cloudFormationEncryptInstanceStorageDataBadExamples, Links: cloudFormationEncryptInstanceStorageDataLinks, RemediationMarkdown: cloudFormationEncryptInstanceStorageDataRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, instance := range s.AWS.RDS.Instances { if !instance.ReplicationSourceARN.IsEmpty() { continue } if instance.Encryption.EncryptStorage.IsFalse() { results.Add( "Instance does not have storage encryption enabled.", instance.Encryption.EncryptStorage, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoClassicResources = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0081", Provider: providers.AWSProvider, Service: "rds", ShortCode: "no-classic-resources", Summary: "AWS Classic resource usage.", Impact: "Classic resources are running in a shared environment with other customers", Resolution: "Switch to VPC resources", Explanation: `AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run resources in a VPC instead.`, Links: []string{ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-classic-platform.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoClassicResourcesGoodExamples, BadExamples: terraformNoClassicResourcesBadExamples, Links: terraformNoClassicResourcesLinks, RemediationMarkdown: terraformNoClassicResourcesRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoClassicResourcesGoodExamples, BadExamples: cloudFormationNoClassicResourcesBadExamples, Links: cloudFormationNoClassicResourcesLinks, RemediationMarkdown: cloudFormationNoClassicResourcesRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, group := range s.AWS.RDS.Classic.DBSecurityGroups { results.Add( "Classic resources should not be used.", &group, ) } return }, )
View Source
var CheckNoPublicDbAccess = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0082", Provider: providers.AWSProvider, Service: "rds", ShortCode: "no-public-db-access", Summary: "A database resource is marked as publicly accessible.", Impact: "The database instance is publicly accessible", Resolution: "Set the database to not be publicly accessible", Explanation: `Database resources should not publicly available. You should limit all access to the minimum that is required for your application to function.`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicDbAccessGoodExamples, BadExamples: terraformNoPublicDbAccessBadExamples, Links: terraformNoPublicDbAccessLinks, RemediationMarkdown: terraformNoPublicDbAccessRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoPublicDbAccessGoodExamples, BadExamples: cloudFormationNoPublicDbAccessBadExamples, Links: cloudFormationNoPublicDbAccessLinks, RemediationMarkdown: cloudFormationNoPublicDbAccessRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.RDS.Clusters { for _, instance := range cluster.Instances { if instance.PublicAccess.IsTrue() { results.Add( "Cluster instance is exposed publicly.", instance.PublicAccess, ) } else { results.AddPassed(&instance) } } } for _, instance := range s.AWS.RDS.Instances { if instance.PublicAccess.IsTrue() { results.Add( "Instance is exposed publicly.", instance.PublicAccess, ) } else { results.AddPassed(&instance) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files ¶
- enable_performance_insights.cf.go
- enable_performance_insights.go
- enable_performance_insights.tf.go
- enable_performance_insights_encryption.cf.go
- enable_performance_insights_encryption.go
- enable_performance_insights_encryption.tf.go
- encrypt_cluster_storage_data.cf.go
- encrypt_cluster_storage_data.go
- encrypt_cluster_storage_data.tf.go
- encrypt_instance_storage_data.cf.go
- encrypt_instance_storage_data.go
- encrypt_instance_storage_data.tf.go
- no_classic_resources.cf.go
- no_classic_resources.go
- no_classic_resources.tf.go
- no_public_db_access.cf.go
- no_public_db_access.go
- no_public_db_access.tf.go
- specify_backup_retention.cf.go
- specify_backup_retention.go
- specify_backup_retention.tf.go
Click to show internal directories.
Click to hide internal directories.