Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckBackupRetentionSpecified = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0077", Provider: providers.AWSProvider, Service: "rds", ShortCode: "specify-backup-retention", Summary: "RDS Cluster and RDS instance should have backup retention longer than default 1 day", Impact: "Potential loss of data and short opportunity for recovery", Resolution: "Explicitly set the retention period to greater than the default", Explanation: `RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk.`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformSpecifyBackupRetentionGoodExamples, BadExamples: terraformSpecifyBackupRetentionBadExamples, Links: terraformSpecifyBackupRetentionLinks, RemediationMarkdown: terraformSpecifyBackupRetentionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationSpecifyBackupRetentionGoodExamples, BadExamples: cloudFormationSpecifyBackupRetentionBadExamples, Links: cloudFormationSpecifyBackupRetentionLinks, RemediationMarkdown: cloudFormationSpecifyBackupRetentionRemediationMarkdown, }, Severity: severity.Medium, Deprecated: true, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.RDS.Clusters { if cluster.Metadata.IsUnmanaged() { continue } if !cluster.ReplicationSourceARN.IsEmpty() { continue } if cluster.BackupRetentionPeriodDays.LessThan(2) { results.Add( "Cluster has very low backup retention period.", cluster.BackupRetentionPeriodDays, ) } else { results.AddPassed(&cluster) } } for _, instance := range s.AWS.RDS.Instances { if instance.Metadata.IsUnmanaged() { continue } if !instance.ReplicationSourceARN.IsEmpty() { continue } if instance.BackupRetentionPeriodDays.LessThan(2) { results.Add( "Instance has very low backup retention period.", instance.BackupRetentionPeriodDays, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEnablePerformanceInsights = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0133", Provider: providers.AWSProvider, Service: "rds", ShortCode: "enable-performance-insights", Summary: "Enable Performance Insights to detect potential problems", Impact: "Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.", Resolution: "Enable performance insights", Explanation: `Enabling Performance insights allows for greater depth in monitoring data. For example, information about active sessions could help diagose a compromise or assist in the investigation`, Links: []string{ "https://aws.amazon.com/rds/performance-insights/", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnablePerformanceInsightsGoodExamples, BadExamples: terraformEnablePerformanceInsightsBadExamples, Links: terraformEnablePerformanceInsightsLinks, RemediationMarkdown: terraformEnablePerformanceInsightsRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnablePerformanceInsightsGoodExamples, BadExamples: cloudFormationEnablePerformanceInsightsBadExamples, Links: cloudFormationEnablePerformanceInsightsLinks, RemediationMarkdown: cloudFormationEnablePerformanceInsightsRemediationMarkdown, }, Severity: severity.Low, Deprecated: true, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.RDS.Clusters { for _, instance := range cluster.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.PerformanceInsights.Enabled.IsFalse() { results.Add( "Instance does not have performance insights enabled.", instance.PerformanceInsights.Enabled, ) } else { results.AddPassed(&instance) } } } for _, instance := range s.AWS.RDS.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.PerformanceInsights.Enabled.IsFalse() { results.Add( "Instance does not have performance insights enabled.", instance.PerformanceInsights.Enabled, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEncryptClusterStorageData = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0079", Provider: providers.AWSProvider, Service: "rds", ShortCode: "encrypt-cluster-storage-data", Summary: "There is no encryption specified or encryption is disabled on the RDS Cluster.", Impact: "Data can be read from the RDS cluster if it is compromised", Resolution: "Enable encryption for RDS clusters", Explanation: `Encryption should be enabled for an RDS Aurora cluster. When enabling encryption by setting the kms_key_id, the storage_encrypted must also be set to true.`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEncryptClusterStorageDataGoodExamples, BadExamples: terraformEncryptClusterStorageDataBadExamples, Links: terraformEncryptClusterStorageDataLinks, RemediationMarkdown: terraformEncryptClusterStorageDataRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEncryptClusterStorageDataGoodExamples, BadExamples: cloudFormationEncryptClusterStorageDataBadExamples, Links: cloudFormationEncryptClusterStorageDataLinks, RemediationMarkdown: cloudFormationEncryptClusterStorageDataRemediationMarkdown, }, Severity: severity.High, Deprecated: true, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.RDS.Clusters { if cluster.Metadata.IsUnmanaged() { continue } if cluster.Encryption.EncryptStorage.IsFalse() { results.Add( "Cluster does not have storage encryption enabled.", cluster.Encryption.EncryptStorage, ) } else if cluster.Encryption.KMSKeyID.IsEmpty() { results.Add( "Cluster does not specify a customer managed key for storage encryption.", cluster.Encryption.KMSKeyID, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckEncryptInstanceStorageData = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0080", Provider: providers.AWSProvider, Service: "rds", ShortCode: "encrypt-instance-storage-data", Summary: "RDS encryption has not been enabled at a DB Instance level.", Impact: "Data can be read from RDS instances if compromised", Resolution: "Enable encryption for RDS instances", Explanation: `Encryption should be enabled for an RDS Database instances. When enabling encryption by setting the kms_key_id.`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEncryptInstanceStorageDataGoodExamples, BadExamples: terraformEncryptInstanceStorageDataBadExamples, Links: terraformEncryptInstanceStorageDataLinks, RemediationMarkdown: terraformEncryptInstanceStorageDataRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEncryptInstanceStorageDataGoodExamples, BadExamples: cloudFormationEncryptInstanceStorageDataBadExamples, Links: cloudFormationEncryptInstanceStorageDataLinks, RemediationMarkdown: cloudFormationEncryptInstanceStorageDataRemediationMarkdown, }, Severity: severity.High, Deprecated: true, }, func(s *state.State) (results scan.Results) { for _, instance := range s.AWS.RDS.Instances { if !instance.ReplicationSourceARN.IsEmpty() { continue } if instance.Encryption.EncryptStorage.IsFalse() { results.Add( "Instance does not have storage encryption enabled.", instance.Encryption.EncryptStorage, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoClassicResources = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0081", Deprecated: true, Provider: providers.AWSProvider, Service: "rds", ShortCode: "no-classic-resources", Summary: "AWS Classic resource usage.", Impact: "Classic resources are running in a shared environment with other customers", Resolution: "Switch to VPC resources", Explanation: `AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run resources in a VPC instead.`, Links: []string{ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-classic-platform.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoClassicResourcesGoodExamples, BadExamples: terraformNoClassicResourcesBadExamples, Links: terraformNoClassicResourcesLinks, RemediationMarkdown: terraformNoClassicResourcesRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoClassicResourcesGoodExamples, BadExamples: cloudFormationNoClassicResourcesBadExamples, Links: cloudFormationNoClassicResourcesLinks, RemediationMarkdown: cloudFormationNoClassicResourcesRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, group := range s.AWS.RDS.Classic.DBSecurityGroups { results.Add( "Classic resources should not be used.", &group, ) } return }, )
View Source
var CheckPerformanceInsightsEncryptionCustomerKey = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0078", Provider: providers.AWSProvider, Service: "rds", ShortCode: "performance-insights-encryption-customer-key", Summary: "Performance Insights encryption should use Customer Managed Keys", Impact: "Using AWS managed keys does not allow for fine grained control", Resolution: "Use Customer Managed Keys to encrypt Performance Insights data", Explanation: `Amazon RDS uses the AWS managed key for your new DB instance. For complete control over KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, and rotating their cryptographic material, use a customer managed keys. The encryption key specified in ` + "`" + `performance_insights_kms_key_id` + "`" + ` references a KMS ARN`, Links: []string{ "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.access-control.html#USER_PerfInsights.access-control.cmk-policy", "https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformPerformanceInsightsEncryptionCustomerKeyGoodExamples, BadExamples: terraformPerformanceInsightsEncryptionCustomerKeyBadExamples, Links: terraformPerformanceInsightsEncryptionCustomerKeyLinks, RemediationMarkdown: terraformPerformanceInsightsEncryptionCustomerKeyRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationPerformanceInsightsEncryptionCustomerKeyGoodExamples, BadExamples: cloudFormationPerformanceInsightsEncryptionCustomerKeyBadExamples, Links: cloudFormationPerformanceInsightsEncryptionCustomerKeyLinks, RemediationMarkdown: cloudFormationPerformanceInsightsEncryptionCustomerKeyRemediationMarkdown, }, Severity: severity.Low, Deprecated: true, }, func(s *state.State) (results scan.Results) { checkCMK := func(entity string, instance rds.Instance) { if instance.Metadata.IsUnmanaged() || instance.PerformanceInsights.Enabled.IsFalse() { return } if instance.PerformanceInsights.KMSKeyID.IsEmpty() { results.Add( fmt.Sprintf("%s Perfomance Insights enctyption does not use a customer-managed KMS key.", entity), instance.PerformanceInsights.KMSKeyID, ) } else { results.AddPassed(&instance) } } for _, cluster := range s.AWS.RDS.Clusters { for _, instance := range cluster.Instances { checkCMK("Cluster instance", instance.Instance) } } for _, instance := range s.AWS.RDS.Instances { checkCMK("Instance", instance) } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
- disable_public_access.cf.go
- disable_public_access.tf.go
- enable_performance_insights.cf.go
- enable_performance_insights.go
- enable_performance_insights.tf.go
- encrypt_cluster_storage_data.cf.go
- encrypt_cluster_storage_data.go
- encrypt_cluster_storage_data.tf.go
- encrypt_instance_storage_data.cf.go
- encrypt_instance_storage_data.go
- encrypt_instance_storage_data.tf.go
- no_classic_resources.cf.go
- no_classic_resources.go
- no_classic_resources.tf.go
- performance_insights_encryption_customer_key.cf.go
- performance_insights_encryption_customer_key.go
- performance_insights_encryption_customer_key.tf.go
- specify_backup_retention.cf.go
- specify_backup_retention.go
- specify_backup_retention.tf.go
Click to show internal directories.
Click to hide internal directories.