terraform.lang.security.rds-public-access.rds-public-access

profile photo of semgrepsemgrep
Author
unknown
Download Count*

RDS instance accessible from the Internet detected.

Run Locally

Run in CI

Defintion

rules:
  - id: rds-public-access
    patterns:
      - pattern: publicly_accessible = true
      - pattern-inside: |
          resource "aws_db_instance" "..." {
            ...
          }
    languages:
      - hcl
    severity: WARNING
    message: RDS instance accessible from the Internet detected.
    metadata:
      references:
        - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible
        - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding
      cwe:
        - "CWE-284: Improper Access Control"
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization

Examples

rds-public-access.tf

resource "aws_db_instance" "good_with_defaults" {
  # ok: rds-public-access
  allocated_storage = 10
  engine            = "mysql"
  engine_version    = "5.7"
  instance_class    = "db.t3.micro"
  name              = "mydb"
}

resource "aws_db_instance" "good" {
  allocated_storage   = 10
  engine              = "mysql"
  engine_version      = "5.7"
  instance_class      = "db.t3.micro"
  name                = "mydb"

  # ok: rds-public-access
  publicly_accessible = false
}

resource "aws_db_instance" "bad" {
  allocated_storage   = 10
  engine              = "mysql"
  engine_version      = "5.7"
  instance_class      = "db.t3.micro"
  name                = "mydb"

  # ruleid: rds-public-access
  publicly_accessible = true
}