186 lines
5.0 KiB
Plaintext
186 lines
5.0 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance] and similar constructs:
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
ec2.Instance(
|
|
self,
|
|
"vpc_subnet_public",
|
|
instance_type=nano_t2,
|
|
machine_image=ec2.MachineImage.latest_amazon_linux(),
|
|
vpc=vpc,
|
|
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC) # Sensitive
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnInstance.html[aws_cdk.aws_ec2.CfnInstance]:
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
ec2.CfnInstance(
|
|
self,
|
|
"cfn_public_exposed",
|
|
instance_type="t2.micro",
|
|
image_id="ami-0ea0f26a6d50850c5",
|
|
network_interfaces=[
|
|
ec2.CfnInstance.NetworkInterfaceProperty(
|
|
device_index="0",
|
|
associate_public_ip_address=True, # Sensitive
|
|
delete_on_termination=True,
|
|
subnet_id=vpc.select_subnets(subnet_type=ec2.SubnetType.PUBLIC).subnet_ids[0]
|
|
)
|
|
]
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_dms/CfnReplicationInstance.html[aws_cdk.aws_dms.CfnReplicationInstance]:
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_dms as dms
|
|
|
|
rep_instance = dms.CfnReplicationInstance(
|
|
self,
|
|
"explicit_public",
|
|
replication_instance_class="dms.t2.micro",
|
|
allocated_storage=5,
|
|
publicly_accessible=True, # Sensitive
|
|
replication_subnet_group_identifier=subnet_group.replication_subnet_group_identifier,
|
|
vpc_security_group_ids=[vpc.vpc_default_security_group]
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_rds as rds
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
rds_subnet_group_public = rds.CfnDBSubnetGroup(
|
|
self,
|
|
"public_subnet",
|
|
db_subnet_group_description="Subnets",
|
|
subnet_ids=vpc.select_subnets(
|
|
subnet_type=ec2.SubnetType.PUBLIC
|
|
).subnet_ids
|
|
)
|
|
|
|
rds.CfnDBInstance(
|
|
self,
|
|
"public-public-subnet",
|
|
engine="postgres",
|
|
master_username="foobar",
|
|
master_user_password="12345678",
|
|
db_instance_class="db.r5.large",
|
|
allocated_storage="200",
|
|
iops=1000,
|
|
db_subnet_group_name=rds_subnet_group_public.ref,
|
|
publicly_accessible=True, # Sensitive
|
|
vpc_security_groups=[sg.security_group_id]
|
|
)
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance]:
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
ec2.Instance(
|
|
self,
|
|
"vpc_subnet_private",
|
|
instance_type=nano_t2,
|
|
machine_image=ec2.MachineImage.latest_amazon_linux(),
|
|
vpc=vpc,
|
|
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT)
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnInstance.html[aws_cdk.aws_ec2.CfnInstance]:
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
ec2.CfnInstance(
|
|
self,
|
|
"cfn_private",
|
|
instance_type="t2.micro",
|
|
image_id="ami-0ea0f26a6d50850c5",
|
|
network_interfaces=[
|
|
ec2.CfnInstance.NetworkInterfaceProperty(
|
|
device_index="0",
|
|
associate_public_ip_address=False, # Compliant
|
|
delete_on_termination=True,
|
|
subnet_id=vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT).subnet_ids[0]
|
|
)
|
|
]
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_dms/CfnReplicationInstance.html[aws_cdk.aws_dms.CfnReplicationInstance]:
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_dms as dms
|
|
|
|
rep_instance = dms.CfnReplicationInstance(
|
|
self,
|
|
"explicit_private",
|
|
replication_instance_class="dms.t2.micro",
|
|
allocated_storage=5,
|
|
publicly_accessible=False,
|
|
replication_subnet_group_identifier=subnet_group.replication_subnet_group_identifier,
|
|
vpc_security_group_ids=[vpc.vpc_default_security_group]
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_rds as rds
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
rds_subnet_group_private = rds.CfnDBSubnetGroup(
|
|
self,
|
|
"private_subnet",
|
|
db_subnet_group_description="Subnets",
|
|
subnet_ids=vpc.select_subnets(
|
|
subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT
|
|
).subnet_ids
|
|
)
|
|
|
|
rds.CfnDBInstance(
|
|
self,
|
|
"private-private-subnet",
|
|
engine="postgres",
|
|
master_username="foobar",
|
|
master_user_password="12345678",
|
|
db_instance_class="db.r5.large",
|
|
allocated_storage="200",
|
|
iops=1000,
|
|
db_subnet_group_name=rds_subnet_group_private.ref,
|
|
publicly_accessible=False,
|
|
vpc_security_groups=[sg.security_group_id]
|
|
)
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
include::highlight.adoc[]
|
|
|
|
endif::env-github,rspecator-view[] |