terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging

semgrep

Author

unknown

Download Count*

LGPL Commons Clause

License

Database instance has no logging. Missing logs can cause missing important event information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: aws-db-instance-no-logging
    patterns:
      - pattern: |
          resource "aws_db_instance" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "aws_db_instance" $ANYTHING {
            ...
            enabled_cloudwatch_logs_exports = [$SOMETHING, ...]
            ...
          }
    message: Database instance has no logging. Missing logs can cause missing
      important event information.
    languages:
      - hcl
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A04:2021 - Insecure Design
      cwe:
        - "CWE-311: Missing Encryption of Sensitive Data"
      technology:
        - aws
        - terraform
      category: security
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

aws-db-instance-no-logging.tf

# pass

resource "aws_db_instance" "postgres" {
  allocated_storage = 5
  engine            = "postgres"
  instance_class    = "db.t3.small"
  password          = "postgres"
  username          = "postgres"

  enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
}

resource "aws_db_instance" "mysql" {
  allocated_storage = 5
  engine            = "mysql"
  instance_class    = "db.t3.small"
  password          = "mysql"
  username          = "mysql"

  enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
}

# failure
# ruleid: aws-db-instance-no-logging
resource "aws_db_instance" "default" {
  allocated_storage = 5
  engine            = "mysql"
  instance_class    = "db.t3.small"
  password          = "mysql"
  username          = "mysql"
}
# ruleid: aws-db-instance-no-logging
resource "aws_db_instance" "empty" {
  allocated_storage = 5
  engine            = "mysql"
  instance_class    = "db.t3.small"
  password          = "mysql"
  username          = "mysql"

  enabled_cloudwatch_logs_exports = []
}

Short Link: https://sg.run/GyAp