include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html[AWS::RDS::DBInstance]
and https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html[AWS::RDS::DBCluster]:

[source,yaml]
----
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  DatabaseInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      StorageEncrypted: false  # Sensitive, disabled by default
  DatabaseCluster:
    Type: AWS::RDS:DBCluster
    Properties:
      StorageEncrypted: false  # Sensitive, disabled by default
----

== Compliant Solution

For https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html[AWS::RDS::DBInstance]
and https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html[AWS::RDS::DBCluster]:

[source,yaml]
----
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  DatabaseInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      StorageEncrypted: true
  DatabaseCluster:
    Type: AWS::RDS:DBCluster
    Properties:
      StorageEncrypted: false  # Sensitive, disabled by default
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Make sure that using an unencrypted RDS DB `(Instance|Cluster)` is safe here.
* Omitting "StorageEncrypted" disables databases encryption. Make sure it is safe here.


endif::env-github,rspecator-view[]