include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html[`aws-cdk-lib.aws_rds.CfnDBCluster`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; new rds.CfnDBCluster(this, 'example', { storageEncrypted: false, // Sensitive }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[`aws-cdk-lib.aws_rds.CfnDBInstance`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; new rds.CfnDBInstance(this, 'example', { storageEncrypted: false, // Sensitive }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html[`aws-cdk-lib.aws_rds.DatabaseCluster`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; import { aws_ec2 as ec2 } from 'aws-cdk-lib'; declare const vpc: ec2.Vpc; const cluster = new rds.DatabaseCluster(this, 'example', { engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_2_08_1 }), instanceProps: { vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS, }, vpc, }, storageEncrypted: false, // Sensitive }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot.html[`aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; declare const vpc: ec2.Vpc; new rds.DatabaseClusterFromSnapshot(this, 'example', { engine: rds.DatabaseClusterEngine.aurora({ version: rds.AuroraEngineVersion.VER_1_22_2 }), instanceProps: { vpc, }, snapshotIdentifier: 'exampleSnapshot', storageEncrypted: false, // Sensitive }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[`aws-cdk-lib.aws_rds.DatabaseInstance`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; declare const vpc: ec2.Vpc; new rds.DatabaseInstance(this, 'example', { engine: rds.DatabaseInstanceEngine.POSTGRES, vpc, storageEncrypted: false, // Sensitive }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica.html[`aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; declare const sourceInstance: rds.DatabaseInstance; new rds.DatabaseInstanceReadReplica(this, 'example', { sourceDatabaseInstance: sourceInstance, instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.LARGE), vpc, storageEncrypted: false, // Sensitive }); ---- == Compliant Solution For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html[`aws-cdk-lib.aws_rds.CfnDBCluster`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; new rds.CfnDBCluster(this, 'example', { storageEncrypted: true, }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[`aws-cdk-lib.aws_rds.CfnDBInstance`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; new rds.CfnDBInstance(this, 'example', { storageEncrypted: true, }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html[`aws-cdk-lib.aws_rds.DatabaseCluster`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; declare const vpc: ec2.Vpc; const cluster = new rds.DatabaseCluster(this, 'example', { engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_2_08_1 }), instanceProps: { vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS, }, vpc, }, storageEncrypted: false, // Sensitive }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot.html[`aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; declare const vpc: ec2.Vpc; new rds.DatabaseClusterFromSnapshot(this, 'example', { engine: rds.DatabaseClusterEngine.aurora({ version: rds.AuroraEngineVersion.VER_1_22_2 }), instanceProps: { vpc, }, snapshotIdentifier: 'exampleSnapshot', storageEncrypted: true, }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[`aws-cdk-lib.aws_rds.DatabaseInstance`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; declare const vpc: ec2.Vpc; new rds.DatabaseInstance(this, 'example', { engine: rds.DatabaseInstanceEngine.POSTGRES, vpc, storageEncrypted: true, }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica.html[`aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica`]: [source,javascript] ---- import { aws_rds as rds } from 'aws-cdk-lib'; declare const sourceInstance: rds.DatabaseInstance; new rds.DatabaseInstanceReadReplica(this, 'example', { sourceDatabaseInstance: sourceInstance, instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.LARGE), vpc, storageEncrypted: true, }); ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message * If `storageEncrypted` is explicitly set to `false`: Make sure that using unencrypted storage is safe here. * If `storageEncrypted` does not exist: Omitting `storageEncrypted` disables RDS encryption. Make sure it is safe here. * For classes that support `storageEncryptionKey`: * If `storageEncryptionKey` is missing or an incorrect object, this message also applies * If `storageEncryptionKey` is present and a correct object, this message doesn't apply === Highlighting * Highlight the initializer function if it does not contain the third argument `props`. * Highlight the `props` object if it does not contain the property `storageEncrypted`. * Highlight the `storageEncrypted` property if it is not set to `true`. endif::env-github,rspecator-view[]