include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html[aws_cdk.aws_rds.DatabaseCluster]
and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[aws_cdk.aws_rds.DatabaseInstance]:

[source,python]
----
from aws_cdk import (
    aws_rds as rds
)

class DatabaseStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        rds.DatabaseCluster( # Sensitive, unencrypted by default
            self,
            "example"
        )
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html[aws_cdk.aws_rds.CfnDBCluster]
and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:

[source,python]
----
from aws_cdk import (
    aws_rds as rds
)

class DatabaseStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        rds.CfnDBCluster( # Sensitive, unencrypted by default
            self,
            "example"
        )
----

== Compliant Solution

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html[aws_cdk.aws_rds.DatabaseCluster]
and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[aws_cdk.aws_rds.DatabaseInstance]:

[source,python]
----
from aws_cdk import (
    aws_rds as rds
)

class DatabaseStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        rds.DatabaseCluster(
            self,
            "example",
            storage_encrypted=True
        )
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html[aws_cdk.aws_rds.CfnDBCluster]
and https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:

[source,python]
----
from aws_cdk import (
    aws_rds as rds
)

class DatabaseStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        rds.CfnDBCluster(
            self,
            "example",
            storage_encrypted=True
        )
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

For CfnDBCluster and CfnDBInstance:

* Make sure that using unencrypted databases is safe here.
* Omitting "storage_encrypted" disables RDS encryption. Make sure it is safe here.

For DatabaseCluster and DatabaseInstance:

* Make sure that using unencrypted databases is safe here.
* Omitting "storage_encrypted" and "storage_encryption_key" disables RDS encryption. Make sure it is safe here.


endif::env-github,rspecator-view[]