include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance] and similar constructs: [source,python] ---- from aws_cdk import aws_ec2 as ec2 ec2.Instance( self, "vpc_subnet_public", instance_type=nano_t2, machine_image=ec2.MachineImage.latest_amazon_linux(), vpc=vpc, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC) # Sensitive ) ---- For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnInstance.html[aws_cdk.aws_ec2.CfnInstance]: [source,python] ---- from aws_cdk import aws_ec2 as ec2 ec2.CfnInstance( self, "cfn_public_exposed", instance_type="t2.micro", image_id="ami-0ea0f26a6d50850c5", network_interfaces=[ ec2.CfnInstance.NetworkInterfaceProperty( device_index="0", associate_public_ip_address=True, # Sensitive delete_on_termination=True, subnet_id=vpc.select_subnets(subnet_type=ec2.SubnetType.PUBLIC).subnet_ids[0] ) ] ) ---- For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_dms/CfnReplicationInstance.html[aws_cdk.aws_dms.CfnReplicationInstance]: [source,python] ---- from aws_cdk import aws_dms as dms rep_instance = dms.CfnReplicationInstance( self, "explicit_public", replication_instance_class="dms.t2.micro", allocated_storage=5, publicly_accessible=True, # Sensitive replication_subnet_group_identifier=subnet_group.replication_subnet_group_identifier, vpc_security_group_ids=[vpc.vpc_default_security_group] ) ---- For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]: [source,python] ---- from aws_cdk import aws_rds as rds from aws_cdk import aws_ec2 as ec2 rds_subnet_group_public = rds.CfnDBSubnetGroup( self, "public_subnet", db_subnet_group_description="Subnets", subnet_ids=vpc.select_subnets( subnet_type=ec2.SubnetType.PUBLIC ).subnet_ids ) rds.CfnDBInstance( self, "public-public-subnet", engine="postgres", master_username="foobar", master_user_password="12345678", db_instance_class="db.r5.large", allocated_storage="200", iops=1000, db_subnet_group_name=rds_subnet_group_public.ref, publicly_accessible=True, # Sensitive vpc_security_groups=[sg.security_group_id] ) ---- == Compliant Solution For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance]: [source,python] ---- from aws_cdk import aws_ec2 as ec2 ec2.Instance( self, "vpc_subnet_private", instance_type=nano_t2, machine_image=ec2.MachineImage.latest_amazon_linux(), vpc=vpc, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT) ) ---- For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnInstance.html[aws_cdk.aws_ec2.CfnInstance]: [source,python] ---- from aws_cdk import aws_ec2 as ec2 ec2.CfnInstance( self, "cfn_private", instance_type="t2.micro", image_id="ami-0ea0f26a6d50850c5", network_interfaces=[ ec2.CfnInstance.NetworkInterfaceProperty( device_index="0", associate_public_ip_address=False, # Compliant delete_on_termination=True, subnet_id=vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT).subnet_ids[0] ) ] ) ---- For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_dms/CfnReplicationInstance.html[aws_cdk.aws_dms.CfnReplicationInstance]: [source,python] ---- from aws_cdk import aws_dms as dms rep_instance = dms.CfnReplicationInstance( self, "explicit_private", replication_instance_class="dms.t2.micro", allocated_storage=5, publicly_accessible=False, replication_subnet_group_identifier=subnet_group.replication_subnet_group_identifier, vpc_security_group_ids=[vpc.vpc_default_security_group] ) ---- For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]: [source,python] ---- from aws_cdk import aws_rds as rds from aws_cdk import aws_ec2 as ec2 rds_subnet_group_private = rds.CfnDBSubnetGroup( self, "private_subnet", db_subnet_group_description="Subnets", subnet_ids=vpc.select_subnets( subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT ).subnet_ids ) rds.CfnDBInstance( self, "private-private-subnet", engine="postgres", master_username="foobar", master_user_password="12345678", db_instance_class="db.r5.large", allocated_storage="200", iops=1000, db_subnet_group_name=rds_subnet_group_private.ref, publicly_accessible=False, vpc_security_groups=[sg.security_group_id] ) ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message * Make sure allowing public network access is safe here. === Highlight For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instances]: * Highlight the `vpc_subnets` property (or dict entry) when set to a selection of public subnets. For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnInstance.html[aws_cdk.aws_ec2.CfnInstance] * Highlight the `associate_public_ip_address` property when set to `True` For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_dms/CfnReplicationInstance.html[aws_cdk.aws_dms.CfnReplicationInstance] * Highlight the `publicly_accessible` property when set to `True` * Highlight the constructor code when the `publicly_accessible` property is not set For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/DatabaseInstance.html[aws_cdk.aws_rds.DatabaseInstance] * If the `vpc_subnets` attribute contains a public subnet, highlight the `publicly_accessible` property if set to `True` * Highlight the `vpc_subnets` attribute if it contains a public subnet, and the `publicly_accessible` property if not set * If the `vpc_subnets` public / private state can not be decided, highlight the `publicly_accessible` property if set to `True` For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance] * If the `db_subnet_group_name` points to a public subnet, highlight the `publicly_accessible` property if set to `True` * If the `db_subnet_group_name` public / private state can not be decided, highlight the `publicly_accessible` property if set to `True` endif::env-github,rspecator-view[]