218 lines
6.0 KiB
Plaintext
218 lines
6.0 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html[`aws-cdk-lib.aws_rds.CfnDBCluster`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
|
|
new rds.CfnDBCluster(this, 'example', {
|
|
storageEncrypted: false, // Sensitive
|
|
});
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[`aws-cdk-lib.aws_rds.CfnDBInstance`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
|
|
new rds.CfnDBInstance(this, 'example', {
|
|
storageEncrypted: false, // Sensitive
|
|
});
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html[`aws-cdk-lib.aws_rds.DatabaseCluster`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
import { aws_ec2 as ec2 } from 'aws-cdk-lib';
|
|
|
|
declare const vpc: ec2.Vpc;
|
|
|
|
const cluster = new rds.DatabaseCluster(this, 'example', {
|
|
engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_2_08_1 }),
|
|
instanceProps: {
|
|
vpcSubnets: {
|
|
subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
|
|
},
|
|
vpc,
|
|
},
|
|
storageEncrypted: false, // Sensitive
|
|
});
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot.html[`aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
|
|
declare const vpc: ec2.Vpc;
|
|
|
|
new rds.DatabaseClusterFromSnapshot(this, 'example', {
|
|
engine: rds.DatabaseClusterEngine.aurora({ version: rds.AuroraEngineVersion.VER_1_22_2 }),
|
|
instanceProps: {
|
|
vpc,
|
|
},
|
|
snapshotIdentifier: 'exampleSnapshot',
|
|
storageEncrypted: false, // Sensitive
|
|
});
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[`aws-cdk-lib.aws_rds.DatabaseInstance`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
|
|
declare const vpc: ec2.Vpc;
|
|
|
|
new rds.DatabaseInstance(this, 'example', {
|
|
engine: rds.DatabaseInstanceEngine.POSTGRES,
|
|
vpc,
|
|
storageEncrypted: false, // Sensitive
|
|
});
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica.html[`aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
|
|
declare const sourceInstance: rds.DatabaseInstance;
|
|
|
|
new rds.DatabaseInstanceReadReplica(this, 'example', {
|
|
sourceDatabaseInstance: sourceInstance,
|
|
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.LARGE),
|
|
vpc,
|
|
storageEncrypted: false, // Sensitive
|
|
});
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html[`aws-cdk-lib.aws_rds.CfnDBCluster`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
|
|
new rds.CfnDBCluster(this, 'example', {
|
|
storageEncrypted: true,
|
|
});
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[`aws-cdk-lib.aws_rds.CfnDBInstance`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
|
|
new rds.CfnDBInstance(this, 'example', {
|
|
storageEncrypted: true,
|
|
});
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html[`aws-cdk-lib.aws_rds.DatabaseCluster`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
|
|
declare const vpc: ec2.Vpc;
|
|
|
|
const cluster = new rds.DatabaseCluster(this, 'example', {
|
|
engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_2_08_1 }),
|
|
instanceProps: {
|
|
vpcSubnets: {
|
|
subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
|
|
},
|
|
vpc,
|
|
},
|
|
storageEncrypted: false, // Sensitive
|
|
});
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot.html[`aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
|
|
declare const vpc: ec2.Vpc;
|
|
|
|
new rds.DatabaseClusterFromSnapshot(this, 'example', {
|
|
engine: rds.DatabaseClusterEngine.aurora({ version: rds.AuroraEngineVersion.VER_1_22_2 }),
|
|
instanceProps: {
|
|
vpc,
|
|
},
|
|
snapshotIdentifier: 'exampleSnapshot',
|
|
storageEncrypted: true,
|
|
});
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[`aws-cdk-lib.aws_rds.DatabaseInstance`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
|
|
declare const vpc: ec2.Vpc;
|
|
|
|
new rds.DatabaseInstance(this, 'example', {
|
|
engine: rds.DatabaseInstanceEngine.POSTGRES,
|
|
vpc,
|
|
storageEncrypted: true,
|
|
});
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica.html[`aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica`]:
|
|
|
|
[source,javascript]
|
|
----
|
|
import { aws_rds as rds } from 'aws-cdk-lib';
|
|
|
|
declare const sourceInstance: rds.DatabaseInstance;
|
|
|
|
new rds.DatabaseInstanceReadReplica(this, 'example', {
|
|
sourceDatabaseInstance: sourceInstance,
|
|
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.LARGE),
|
|
vpc,
|
|
storageEncrypted: true,
|
|
});
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* If `storageEncrypted` is explicitly set to `false`: Make sure that using unencrypted storage is safe here.
|
|
* If `storageEncrypted` does not exist: Omitting `storageEncrypted` disables RDS encryption. Make sure it is safe here.
|
|
* For classes that support `storageEncryptionKey`:
|
|
* If `storageEncryptionKey` is missing or an incorrect object, this message also applies
|
|
* If `storageEncryptionKey` is present and a correct object, this message doesn't apply
|
|
|
|
=== Highlighting
|
|
|
|
* Highlight the initializer function if it does not contain the third argument `props`.
|
|
* Highlight the `props` object if it does not contain the property `storageEncrypted`.
|
|
* Highlight the `storageEncrypted` property if it is not set to `true`.
|
|
|
|
endif::env-github,rspecator-view[]
|
|
|