terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging
semgrep
Author
unknown
Download Count*
License
Database instance has no logging. Missing logs can cause missing important event information.
Run Locally
Run in CI
Defintion
rules:
- id: aws-db-instance-no-logging
patterns:
- pattern: |
resource "aws_db_instance" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_db_instance" $ANYTHING {
...
enabled_cloudwatch_logs_exports = [$SOMETHING, ...]
...
}
message: Database instance has no logging. Missing logs can cause missing
important event information.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
cwe:
- "CWE-311: Missing Encryption of Sensitive Data"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A04_2021-Insecure_Design
subcategory:
- vuln
likelihood: MEDIUM
impact: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-db-instance-no-logging.tf
# pass
resource "aws_db_instance" "postgres" {
allocated_storage = 5
engine = "postgres"
instance_class = "db.t3.small"
password = "postgres"
username = "postgres"
enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
}
resource "aws_db_instance" "mysql" {
allocated_storage = 5
engine = "mysql"
instance_class = "db.t3.small"
password = "mysql"
username = "mysql"
enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
}
# failure
# ruleid: aws-db-instance-no-logging
resource "aws_db_instance" "default" {
allocated_storage = 5
engine = "mysql"
instance_class = "db.t3.small"
password = "mysql"
username = "mysql"
}
# ruleid: aws-db-instance-no-logging
resource "aws_db_instance" "empty" {
allocated_storage = 5
engine = "mysql"
instance_class = "db.t3.small"
password = "mysql"
username = "mysql"
enabled_cloudwatch_logs_exports = []
}
Short Link: https://sg.run/GyAp