in src/packs/aws-solutions.ts [398:721]
private checkDatabases(node: CfnResource): void {
this.applyRule({
ruleSuffixOverride: 'RDS2',
info: 'The RDS instance or Aurora DB cluster does not have storage encryption enabled.',
explanation:
'Storage encryption helps protect data-at-rest by encrypting the underlying storage, automated backups, read replicas, and snapshots for the database.',
level: NagMessageLevel.ERROR,
rule: RDSStorageEncrypted,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RDS6',
info: 'The RDS Aurora MySQL/PostgresSQL cluster does not have IAM Database Authentication enabled.',
explanation:
"With IAM Database Authentication enabled, the system doesn't have to use a password when connecting to the MySQL/PostgreSQL database instances, instead it uses an authentication token.",
level: NagMessageLevel.ERROR,
rule: AuroraMySQLPostgresIAMAuth,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RDS10',
info: 'The RDS instance or Aurora DB cluster does not have deletion protection enabled.',
explanation:
'The deletion protection feature helps protect the database from being accidentally deleted.',
level: NagMessageLevel.ERROR,
rule: RDSInstanceDeletionProtectionEnabled,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RDS11',
info: 'The RDS instance or Aurora DB cluster uses the default endpoint port.',
explanation:
'Port obfuscation (using a non default endpoint port) adds an additional layer of defense against non-targeted attacks (i.e. MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432, etc).',
level: NagMessageLevel.ERROR,
rule: RDSNonDefaultPort,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RDS13',
info: 'The RDS instance is not configured for automated backups.',
explanation: 'Automated backups allow for point-in-time recovery.',
level: NagMessageLevel.ERROR,
rule: RDSInstanceBackupEnabled,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RDS14',
info: 'The RDS Aurora MySQL cluster does not have Backtrack enabled.',
explanation:
'Backtrack helps order to rewind cluster tables to a specific time, without using backups.',
level: NagMessageLevel.ERROR,
rule: AuroraMySQLBacktrack,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RDS15',
info: 'The RDS DB instance or Aurora DB cluster does not have deletion protection enabled.',
explanation:
'Enabling Deletion Protection at the cluster level for Amazon Aurora databases or instance level for non Aurora instances helps protect from accidental deletion.',
level: NagMessageLevel.ERROR,
rule: RDSInstanceDeletionProtectionEnabled,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RDS16',
info: 'The RDS Aurora MySQL serverless cluster does not have audit, error, general, and slowquery Log Exports enabled.',
explanation:
'This allows operators to use CloudWatch to view logs to help diagnose problems in the database.',
level: NagMessageLevel.ERROR,
rule: AuroraMySQLLogging,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'DDB3',
info: 'The DynamoDB table does not have Point-in-time Recovery enabled.',
explanation:
'DynamoDB continuous backups represent an additional layer of insurance against accidental loss of data on top of on-demand backups. The DynamoDB service can back up the data with per-second granularity and restore it to any single second from the time PITR was enabled up to the prior 35 days.',
level: NagMessageLevel.WARN,
rule: DynamoDBPITREnabled,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'DDB4',
info: 'The DAX cluster does not have server-side encryption enabled.',
explanation:
'Data in cache, configuration data and log files should be encrypted using Server-Side Encryption in order to protect from unauthorized access to the underlying storage.',
level: NagMessageLevel.ERROR,
rule: DAXEncrypted,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'AEC1',
info: 'The ElastiCache cluster is not provisioned in a VPC.',
explanation:
'Provisioning the cluster within a VPC allows for better flexibility and control over the cache clusters security, availability, traffic routing and more.',
level: NagMessageLevel.ERROR,
rule: ElastiCacheClusterInVPC,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'AEC3',
info: 'The ElastiCache Redis cluster does not have both encryption in transit and at rest enabled.',
explanation:
'Encryption in transit helps secure communications to the cluster. Encryption at rest helps protect data at rest from unauthorized access.',
level: NagMessageLevel.ERROR,
rule: ElastiCacheRedisClusterEncryption,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'AEC4',
info: 'The ElastiCache Redis cluster is not deployed in a Multi-AZ configuration.',
explanation:
'The cluster should use a Multi-AZ deployment configuration for high availability.',
level: NagMessageLevel.ERROR,
rule: ElastiCacheRedisClusterMultiAZ,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'AEC5',
info: 'The ElastiCache cluster uses the default endpoint port.',
explanation:
'Port obfuscation (using a non default endpoint port) adds an additional layer of defense against non-targeted attacks (i.e. Redis port 6379 and Memcached port 11211).',
level: NagMessageLevel.ERROR,
rule: ElastiCacheClusterNonDefaultPort,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'AEC6',
info: 'The ElastiCache Redis cluster does not use Redis AUTH for user authentication.',
explanation:
'Redis authentication tokens enable Redis to require a token (password) before allowing clients to execute commands, thereby improving data security.',
level: NagMessageLevel.ERROR,
rule: ElastiCacheRedisClusterRedisAuth,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'N1',
info: 'The Neptune DB cluster is not deployed in a Multi-AZ configuration.',
explanation:
'The cluster should use a Multi-AZ deployment configuration for high availability.',
level: NagMessageLevel.ERROR,
rule: NeptuneClusterMultiAZ,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'N2',
info: 'The Neptune DB instance does have Auto Minor Version Upgrade enabled.',
explanation:
'The Neptune service regularly releases engine updates. Enabling Auto Minor Version Upgrade will allow the service to automatically apply these upgrades to DB Instances.',
level: NagMessageLevel.ERROR,
rule: NeptuneClusterAutomaticMinorVersionUpgrade,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'N3',
info: 'The Neptune DB cluster does not have a reasonable minimum backup retention period configured.',
explanation:
'The retention period represents the number of days to retain automated snapshots. A minimum retention period of 7 days is recommended but can be adjust to meet system requirements.',
level: NagMessageLevel.ERROR,
rule: NeptuneClusterBackupRetentionPeriod,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'N4',
info: 'The Neptune DB cluster does not have encryption at rest enabled.',
explanation:
'Encrypting data-at-rest protects data confidentiality and prevents unauthorized users from accessing sensitive information.',
level: NagMessageLevel.ERROR,
rule: NeptuneClusterEncryptionAtRest,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'N5',
info: 'The Neptune DB cluster does not have IAM Database Authentication enabled.',
explanation:
"With IAM Database Authentication enabled, the system doesn't have to use a password when connecting to the cluster.",
level: NagMessageLevel.ERROR,
rule: NeptuneClusterIAMAuth,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RS1',
info: 'The Redshift cluster does not require TLS/SSL encryption.',
explanation:
'Enabling the "require_ssl" parameter secures data-in-transit by encrypting the connection between the clients and the Redshift clusters.',
level: NagMessageLevel.ERROR,
rule: RedshiftRequireTlsSSL,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RS2',
info: 'The Redshift cluster is not provisioned in a VPC.',
explanation:
'Provisioning the cluster within a VPC allows for better flexibility and control over the Redshift clusters security, availability, traffic routing and more.',
level: NagMessageLevel.ERROR,
rule: RedshiftClusterInVPC,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RS3',
info: 'The Redshift cluster uses the default "awsuser" username.',
explanation:
'Using a custom master user name instead of the default master user name (i.e. "awsuser") provides an additional layer of defense against non-targeted attacks.',
level: NagMessageLevel.ERROR,
rule: RedshiftClusterNonDefaultUsername,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RS4',
info: 'The Redshift cluster uses the default endpoint port.',
explanation:
'Port obfuscation (using a non default endpoint port) adds an additional layer of defense against non-targeted attacks (i.e. Redshift port 5439).',
level: NagMessageLevel.ERROR,
rule: RedshiftClusterNonDefaultPort,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RS5',
info: 'The Redshift cluster does not have audit logging enabled.',
explanation:
'Audit logging helps operators troubleshoot issues and ensure security.',
level: NagMessageLevel.ERROR,
rule: RedshiftClusterAuditLogging,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RS6',
info: 'The Redshift cluster does not have encryption at rest enabled.',
explanation: 'Encrypting data-at-rest protects data confidentiality.',
level: NagMessageLevel.ERROR,
rule: RedshiftClusterEncryptionAtRest,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RS8',
info: 'The Redshift cluster is publicly accessible.',
explanation:
'Disabling public accessibility helps minimize security risks.',
level: NagMessageLevel.ERROR,
rule: RedshiftClusterPublicAccess,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RS9',
info: 'The Redshift cluster does not have version upgrade enabled.',
explanation:
'Version Upgrade must enabled to enable the cluster to automatically receive upgrades during the maintenance window.',
level: NagMessageLevel.ERROR,
rule: RedshiftClusterVersionUpgrade,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RS10',
info: 'The Redshift cluster does not have a retention period for automated snapshots configured.',
explanation:
'The retention period represents the number of days to retain automated snapshots. A positive retention period should be set to configure this feature.',
level: NagMessageLevel.ERROR,
rule: RedshiftBackupEnabled,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'RS11',
info: 'The Redshift cluster does not have user activity logging enabled.',
explanation:
'User activity logging logs each query before it is performed on the clusters databse. To enable this feature associate a Resdhsift Cluster Parameter Group with the "enable_user_activity_logging" parameter set to "true".',
level: NagMessageLevel.ERROR,
rule: RedshiftClusterUserActivityLogging,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'DOC1',
info: 'The Document DB cluster does not have encryption at rest enabled.',
explanation:
'Encrypting data-at-rest protects data confidentiality and prevents unauthorized users from accessing sensitive information.',
level: NagMessageLevel.ERROR,
rule: DocumentDBClusterEncryptionAtRest,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'DOC2',
info: 'The Document DB cluster uses the default endpoint port.',
explanation:
'Port obfuscation (using a non default endpoint port) adds an additional layer of defense against non-targeted attacks (i.e. MongoDB port 27017).',
level: NagMessageLevel.ERROR,
rule: DocumentDBClusterNonDefaultPort,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'DOC3',
info: 'The Document DB cluster does not have the username and password stored in Secrets Manager.',
explanation:
"Secrets Manager enables operators to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining system code, because the secret no longer exists in the code. Also, operators can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise.",
level: NagMessageLevel.ERROR,
rule: DocumentDBCredentialsInSecretsManager,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'DOC4',
info: 'The Document DB cluster does not have a reasonable minimum backup retention period configured.',
explanation:
'The retention period represents the number of days to retain automated snapshots. A minimum retention period of 7 days is recommended but can be adjust to meet system requirements.',
level: NagMessageLevel.ERROR,
rule: DocumentDBClusterBackupRetentionPeriod,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'DOC5',
info: 'The Document DB cluster does not have authenticate, createIndex, and dropCollection Log Exports enabled.',
explanation:
'This allows operators to use CloudWatch to view logs to help diagnose problems in the database. The events recorded by the AWS DocumentDB audit logs include successful and failed authentication attempts, creating indexes or dropping a collection in a database within the DocumentDB cluster.',
level: NagMessageLevel.ERROR,
rule: DocumentDBClusterLogExports,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'TS3',
info: 'The Timestream database does not use a Customer Managed KMS Key for at rest encryption.',
explanation:
'All Timestream tables in a database are encrypted at rest by default using AWS Managed Key. These keys are rotated every three years. Data at rest must be encrypted using CMKs if you require more control over the permissions and lifecycle of your keys, including the ability to have them automatically rotated on an annual basis.',
level: NagMessageLevel.WARN,
rule: TimestreamDatabaseCustomerManagedKey,
node: node,
});
}