terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention
semgrepAuthor
unknown
Download Count*
License
The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a backup_retention_period.
Run Locally
Run in CI
Defintion
rules:
- id: aws-rds-backup-no-retention
patterns:
- pattern-either:
- pattern: |
resource "aws_rds_cluster" $ANYTHING {
...
backup_retention_period = 0
...
}
- pattern: |
resource "aws_db_instance" $ANYTHING {
...
backup_retention_period = 0
...
}
message: The AWS RDS has no retention. Missing retention can cause losing
important event information. To fix this, set a `backup_retention_period`.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
cwe:
- "CWE-320: CWE CATEGORY: Key Management Errors"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-rds-backup-no-retention.tf
resource "aws_rds_cluster" "pass" {
backup_retention_period = 35
}
resource "aws_rds_cluster" "pass2" {
}
# ruleid: aws-rds-backup-no-retention
resource "aws_rds_cluster" "fail2" {
backup_retention_period = 0
}
resource "aws_db_instance" "pass" {
backup_retention_period = 35
}
resource "aws_db_instance" "pass2" {
}
# ruleid: aws-rds-backup-no-retention
resource "aws_db_instance" "fail" {
backup_retention_period = 0
}
Short Link: https://sg.run/OyYB