RDS storage encryption disabled

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RDS storage encryption disabled

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 65844ba3-03a1-40a8-b3dd-919f122e8c95

Cloud Provider: AWS

Platform: CloudFormation

Severity: High

Category: Encryption

Learn More

Provider Reference

Description

RDS DB clusters must have storage encryption enabled to protect data at rest and to prevent exposure of database contents through compromised storage, snapshots, or automated backups. In AWS CloudFormation, the StorageEncrypted property on AWS::RDS::DBCluster resources must be defined and set to true. Resources missing StorageEncrypted or with StorageEncrypted set to false will be flagged. You can also specify a customer-managed KMS key using KmsKeyId if you require a specific CMK.

Secure configuration example:

MyDBCluster:
  Type: AWS::RDS::DBCluster
  Properties:
    Engine: aurora-postgresql
    StorageEncrypted: true
    KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-56ef-78gh-90ij-klmnopqrstuv

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster
Resources:
  RDSCluster:
    Properties:
      DBClusterParameterGroupName:
        Ref: RDSDBClusterParameterGroup
      DBSubnetGroupName: DBSubnetGroup
      Engine: aurora
      MasterUserPassword: password
      MasterUsername: username
      StorageEncrypted: true
    Type: "AWS::RDS::DBCluster"
  RDSDBClusterParameterGroup:
    Properties:
      Description: "CloudFormation Sample Aurora Cluster Parameter Group"
      Family: aurora5.6
      Parameters:
        time_zone: US/Eastern
    Type: "AWS::RDS::DBClusterParameterGroup"
  RDSDBInstance1:
    Properties:
      AvailabilityZone: eu-west-1b
      DBClusterIdentifier:
        Ref: RDSCluster
      DBInstanceClass: db.r3.xlarge
      DBParameterGroupName:
        Ref: RDSDBParameterGroup
      DBSubnetGroupName: DBSubnetGroup
      Engine: aurora
      PubliclyAccessible: "true"
    Type: "AWS::RDS::DBInstance"
  RDSDBInstance2:
    Properties:
      AvailabilityZone: eu-west-1b
      DBClusterIdentifier:
        Ref: RDSCluster
      DBInstanceClass: db.r3.xlarge
      DBParameterGroupName:
        Ref: RDSDBParameterGroup
      DBSubnetGroupName: DBSubnetGroup
      Engine: aurora
      PubliclyAccessible: "true"
    Type: "AWS::RDS::DBInstance"
  RDSDBParameterGroup:
    Type: 'AWS::RDS::DBParameterGroup'
    Properties:
      Description: CloudFormation Sample Aurora Parameter Group
      Family: aurora5.6
      Parameters:
        sql_mode: IGNORE_SPACE
        max_allowed_packet: 1024
        innodb_buffer_pool_size: '{DBInstanceClassMemory*3/4}'

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Creates RDS Cluster",
  "Resources": {
    "RDSDBClusterParameterGroup": {
      "Properties": {
        "Description": "CloudFormation Sample Aurora Cluster Parameter Group",
        "Family": "aurora5.6",
        "Parameters": {
          "time_zone": "US/Eastern"
        }
      },
      "Type": "AWS::RDS::DBClusterParameterGroup"
    },
    "RDSDBInstance1": {
      "Properties": {
        "PubliclyAccessible": "true",
        "AvailabilityZone": "eu-west-1b",
        "DBClusterIdentifier": {
          "Ref": "RDSCluster"
        },
        "DBInstanceClass": "db.r3.xlarge",
        "DBParameterGroupName": {
          "Ref": "RDSDBParameterGroup"
        },
        "DBSubnetGroupName": "DBSubnetGroup",
        "Engine": "aurora"
      },
      "Type": "AWS::RDS::DBInstance"
    },
    "RDSDBInstance2": {
      "Properties": {
        "PubliclyAccessible": "true",
        "AvailabilityZone": "eu-west-1b",
        "DBClusterIdentifier": {
          "Ref": "RDSCluster"
        },
        "DBInstanceClass": "db.r3.xlarge",
        "DBParameterGroupName": {
          "Ref": "RDSDBParameterGroup"
        },
        "DBSubnetGroupName": "DBSubnetGroup",
        "Engine": "aurora"
      },
      "Type": "AWS::RDS::DBInstance"
    },
    "RDSDBParameterGroup": {
      "Type": "AWS::RDS::DBParameterGroup",
      "Properties": {
        "Description": "CloudFormation Sample Aurora Parameter Group",
        "Family": "aurora5.6",
        "Parameters": {
          "sql_mode": "IGNORE_SPACE",
          "max_allowed_packet": 1024,
          "innodb_buffer_pool_size": "{DBInstanceClassMemory*3/4}"
        }
      }
    },
    "RDSCluster": {
      "Properties": {
        "DBSubnetGroupName": "DBSubnetGroup",
        "Engine": "aurora",
        "MasterUserPassword": "password",
        "MasterUsername": "username",
        "StorageEncrypted": true,
        "DBClusterParameterGroupName": {
          "Ref": "RDSDBClusterParameterGroup"
        }
      },
      "Type": "AWS::RDS::DBCluster"
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster
Resources:
  RDSCluster1:
    Properties:
      DBClusterParameterGroupName:
        Ref: RDSDBClusterParameterGroup
      DBSubnetGroupName: DBSubnetGroup
      Engine: aurora
      MasterUserPassword: password
      MasterUsername: username
    Type: "AWS::RDS::DBCluster"
  RDSDBClusterParameterGroup:
    Properties:
      Description: "CloudFormation Sample Aurora Cluster Parameter Group"
      Family: aurora5.6
      Parameters:
        time_zone: US/Eastern
    Type: "AWS::RDS::DBClusterParameterGroup"
  RDSDBInstance1:
    Properties:
      AvailabilityZone: eu-west-1b
      DBClusterIdentifier:
        Ref: RDSCluster
      DBInstanceClass: db.r3.xlarge
      DBParameterGroupName:
        Ref: RDSDBParameterGroup
      DBSubnetGroupName: DBSubnetGroup
      Engine: aurora
      PubliclyAccessible: "true"
    Type: "AWS::RDS::DBInstance"
  RDSDBInstance2:
    Properties:
      AvailabilityZone: eu-west-1b
      DBClusterIdentifier:
        Ref: RDSCluster
      DBInstanceClass: db.r3.xlarge
      DBParameterGroupName:
        Ref: RDSDBParameterGroup
      DBSubnetGroupName: DBSubnetGroup
      Engine: aurora
      PubliclyAccessible: "true"
    Type: "AWS::RDS::DBInstance"
  RDSDBParameterGroup:
    Type: 'AWS::RDS::DBParameterGroup'
    Properties:
      Description: CloudFormation Sample Aurora Parameter Group
      Family: aurora5.6
      Parameters:
        sql_mode: IGNORE_SPACE
        max_allowed_packet: 1024
        innodb_buffer_pool_size: '{DBInstanceClassMemory*3/4}'

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Creates RDS Cluster",
  "Resources": {
    "RDSCluster": {
      "Properties": {
        "MasterUserPassword": "password",
        "MasterUsername": "username",
        "StorageEncrypted": false,
        "DBClusterParameterGroupName": {
          "Ref": "RDSDBClusterParameterGroup"
        },
        "DBSubnetGroupName": "DBSubnetGroup",
        "Engine": "aurora"
      },
      "Type": "AWS::RDS::DBCluster"
    },
    "RDSDBClusterParameterGroup": {
      "Properties": {
        "Description": "CloudFormation Sample Aurora Cluster Parameter Group",
        "Family": "aurora5.6",
        "Parameters": {
          "time_zone": "US/Eastern"
        }
      },
      "Type": "AWS::RDS::DBClusterParameterGroup"
    },
    "RDSDBInstance1": {
      "Properties": {
        "DBInstanceClass": "db.r3.xlarge",
        "DBParameterGroupName": {
          "Ref": "RDSDBParameterGroup"
        },
        "DBSubnetGroupName": "DBSubnetGroup",
        "Engine": "aurora",
        "PubliclyAccessible": "true",
        "AvailabilityZone": "eu-west-1b",
        "DBClusterIdentifier": {
          "Ref": "RDSCluster"
        }
      },
      "Type": "AWS::RDS::DBInstance"
    },
    "RDSDBInstance2": {
      "Properties": {
        "DBClusterIdentifier": {
          "Ref": "RDSCluster"
        },
        "DBInstanceClass": "db.r3.xlarge",
        "DBParameterGroupName": {
          "Ref": "RDSDBParameterGroup"
        },
        "DBSubnetGroupName": "DBSubnetGroup",
        "Engine": "aurora",
        "PubliclyAccessible": "true",
        "AvailabilityZone": "eu-west-1b"
      },
      "Type": "AWS::RDS::DBInstance"
    },
    "RDSDBParameterGroup": {
      "Type": "AWS::RDS::DBParameterGroup",
      "Properties": {
        "Description": "CloudFormation Sample Aurora Parameter Group",
        "Family": "aurora5.6",
        "Parameters": {
          "max_allowed_packet": 1024,
          "innodb_buffer_pool_size": "{DBInstanceClassMemory*3/4}",
          "sql_mode": "IGNORE_SPACE"
        }
      }
    }
  }
}

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  NoEncryption:
    Type: 'AWS::RDS::DBCluster'
    Properties:
      MasterUsername: !Ref DBUsername
      MasterUserPassword: !Ref DBPassword
      DBClusterIdentifier: aurora-postgresql-cluster
      Engine: aurora-postgresql
      EngineVersion: '10.7'
      DBClusterParameterGroupName: default.aurora-postgresql10
      BackupRetentionPeriod: 7
      EnableCloudwatchLogsExports:
        - postgresql
  BackupRetention:
    Type: 'AWS::RDS::DBCluster'
    Properties:
      MasterUsername: !Ref DBUsername
      StorageEncrypted: true
      MasterUserPassword: !Ref DBPassword
      DBClusterIdentifier: aurora-postgresql-cluster
      Engine: aurora-postgresql
      EngineVersion: '10.7'
      DBClusterParameterGroupName: default.aurora-postgresql10
      EnableCloudwatchLogsExports:
        - postgresql