rspec/rules/S6303/python/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html[aws_cdk.aws_rds.DatabaseCluster]
and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[aws_cdk.aws_rds.DatabaseInstance]:

[source,python]
----
from aws_cdk import (
    aws_rds as rds
)

class DatabaseStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        rds.DatabaseCluster( # Sensitive, unencrypted by default
            self,
            "example"
        )
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html[aws_cdk.aws_rds.CfnDBCluster]
and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:

[source,python]
----
from aws_cdk import (
    aws_rds as rds
)

class DatabaseStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        rds.CfnDBCluster( # Sensitive, unencrypted by default
            self,
            "example"
        )
----

== Compliant Solution

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html[aws_cdk.aws_rds.DatabaseCluster]
and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[aws_cdk.aws_rds.DatabaseInstance]:

[source,python]
----
from aws_cdk import (
    aws_rds as rds
)

class DatabaseStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        rds.DatabaseCluster(
            self,
            "example",
            storage_encrypted=True
        )
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html[aws_cdk.aws_rds.CfnDBCluster]
and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:

[source,python]
----
from aws_cdk import (
    aws_rds as rds
)

class DatabaseStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        rds.CfnDBCluster(
            self,
            "example",
            storage_encrypted=True
        )
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

For CfnDBCluster and CfnDBInstance:

* Make sure that using unencrypted databases is safe here.
* Omitting "storage_encrypted" disables RDS encryption. Make sure it is safe here.

For DatabaseCluster and DatabaseInstance:

* Make sure that using unencrypted databases is safe here.
* Omitting "storage_encrypted" and "storage_encryption_key" disables RDS encryption. Make sure it is safe here.


endif::env-github,rspecator-view[]
Create rule S6303: Using unencrypted RDS databases is security-sensitive (#1255) 2022-09-19 12:00:00 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html[aws_cdk.aws_rds.DatabaseCluster]`
			`and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[aws_cdk.aws_rds.DatabaseInstance]:`

			`[source,python]`
			`----`
			`from aws_cdk import (`
			`aws_rds as rds`
			`)`

			`class DatabaseStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`
			`rds.DatabaseCluster( # Sensitive, unencrypted by default`
			`self,`
			`"example"`
			`)`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html[aws_cdk.aws_rds.CfnDBCluster]`
			`and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:`

			`[source,python]`
			`----`
			`from aws_cdk import (`
			`aws_rds as rds`
			`)`

			`class DatabaseStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`
			`rds.CfnDBCluster( # Sensitive, unencrypted by default`
			`self,`
			`"example"`
			`)`
			`----`

			`== Compliant Solution`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html[aws_cdk.aws_rds.DatabaseCluster]`
			`and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[aws_cdk.aws_rds.DatabaseInstance]:`

			`[source,python]`
			`----`
			`from aws_cdk import (`
			`aws_rds as rds`
			`)`

			`class DatabaseStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`
			`rds.DatabaseCluster(`
			`self,`
			`"example",`
			`storage_encrypted=True`
			`)`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html[aws_cdk.aws_rds.CfnDBCluster]`
			`and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:`

			`[source,python]`
			`----`
			`from aws_cdk import (`
			`aws_rds as rds`
			`)`

			`class DatabaseStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`
			`rds.CfnDBCluster(`
			`self,`
			`"example",`
			`storage_encrypted=True`
			`)`
			`----`

			`include::../see.adoc[]`

			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`For CfnDBCluster and CfnDBInstance:`

			`* Make sure that using unencrypted databases is safe here.`
			`* Omitting "storage_encrypted" disables RDS encryption. Make sure it is safe here.`

			`For DatabaseCluster and DatabaseInstance:`

			`* Make sure that using unencrypted databases is safe here.`
			`* Omitting "storage_encrypted" and "storage_encryption_key" disables RDS encryption. Make sure it is safe here.`

Create rule S6303: Using unencrypted RDS databases is security-sensitive (#1255) 2022-09-19 12:00:00 +02:00
			`endif::env-github,rspecator-view[]`