include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and similar constructs: [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new ec2.Instance(this, "example", { instanceType: nanoT2, machineImage: ec2.MachineImage.latestAmazonLinux(), vpc: vpc, vpcSubnets: {subnetType: ec2.SubnetType.PUBLIC} // Sensitive }) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance]: [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new ec2.CfnInstance(this, "example", { instanceType: "t2.micro", imageId: "ami-0ea0f26a6d50850c5", networkInterfaces: [ { deviceIndex: "0", associatePublicIpAddress: true, // Sensitive deleteOnTermination: true, subnetId: vpc.selectSubnets({subnetType: ec2.SubnetType.PUBLIC}).subnetIds[0] } ] }) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance]: [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new dms.CfnReplicationInstance( this, "example", { replicationInstanceClass: "dms.t2.micro", allocatedStorage: 5, publiclyAccessible: true, // Sensitive replicationSubnetGroupIdentifier: subnetGroup.replicationSubnetGroupIdentifier, vpcSecurityGroupIds: [vpc.vpcDefaultSecurityGroup] }) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance]: [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' const rdsSubnetGroupPublic = new rds.CfnDBSubnetGroup(this, "publicSubnet", { dbSubnetGroupDescription: "Subnets", dbSubnetGroupName: "publicSn", subnetIds: vpc.selectSubnets({ subnetType: ec2.SubnetType.PUBLIC }).subnetIds }) new rds.CfnDBInstance(this, "example", { engine: "postgres", masterUsername: "foobar", masterUserPassword: "12345678", dbInstanceClass: "db.r5.large", allocatedStorage: "200", iops: 1000, dbSubnetGroupName: rdsSubnetGroupPublic.ref, publiclyAccessible: true, // Sensitive vpcSecurityGroups: [sg.securityGroupId] }) ---- == Compliant Solution For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and similar constructs: [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new ec2.Instance( this, "example", { instanceType: nanoT2, machineImage: ec2.MachineImage.latestAmazonLinux(), vpc: vpc, vpcSubnets: {subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS} }) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance]: [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new ec2.CfnInstance(this, "example", { instanceType: "t2.micro", imageId: "ami-0ea0f26a6d50850c5", networkInterfaces: [ { deviceIndex: "0", associatePublicIpAddress: false, deleteOnTermination: true, subnetId: vpc.selectSubnets({subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS}).subnetIds[0] } ] }) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance]: [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new dms.CfnReplicationInstance( this, "example", { replicationInstanceClass: "dms.t2.micro", allocatedStorage: 5, publiclyAccessible: false, replicationSubnetGroupIdentifier: subnetGroup.replicationSubnetGroupIdentifier, vpcSecurityGroupIds: [vpc.vpcDefaultSecurityGroup] }) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance]: [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' const rdsSubnetGroupPrivate = new rds.CfnDBSubnetGroup(this, "example",{ dbSubnetGroupDescription: "Subnets", dbSubnetGroupName: "privateSn", subnetIds: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }).subnetIds }) new rds.CfnDBInstance(this, "example", { engine: "postgres", masterUsername: "foobar", masterUserPassword: "12345678", dbInstanceClass: "db.r5.large", allocatedStorage: "200", iops: 1000, dbSubnetGroupName: rdsSubnetGroupPrivate.ref, publiclyAccessible: false, vpcSecurityGroups: [sg.securityGroupId] }) ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message * Make sure allowing public network access is safe here. === Highlight For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instances]: * Highlight the `vpcSubnets` property when set to a selection of public subnets. For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance] * Highlight the `associatePublicIpAddress` property when set to `true` For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance] * Highlight the `publiclyAccessible` property when set to `True` * Highlight the constructor code when the `publiclyAccessible` property is not set For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[aws-cdk-lib.aws_rds.DatabaseInstance] * Highlight the `publiclyAccessible` property when it's set * Highlight the `vpcSubnets` attribute if the `publiclyAccessible` property if not set For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance] * Highlight the `publiclyAccessible` property endif::env-github,rspecator-view[]