turbot/steampipe-mod-aws-compliance

Control: 44 RDS for MariaDB DB instances should be encrypted in transit

Description

This control checks whether connections to an Amazon RDS for MariaDB DB instance are encrypted in transit. The control fails if the DB parameter group associated with the DB instance is not in sync, or the require_secure_transport parameter of the parameter group is not set to ON.

Note: This control doesn't evaluate Amazon RDS DB instances that use MariaDB versions earlier than version 10.5. The require_secure_transport parameter is supported only for MariaDB versions 10.5 and later.

Data in transit refers to data that moves from one location to another, such as between nodes in a DB cluster or between a DB cluster and a client application. Data can move across the internet or within a private network. Encrypting data in transit reduces the risk of unauthorized users eavesdropping on network traffic.

Remediation

For information about enabling SSL/TLS for connections to an Amazon RDS for MariaDB DB instance, see Requiring SSL/TLS for all connections to a MariaDB DB instance in the Amazon Relational Database Service User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_44

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_44 --share

SQL

This control uses a named query:

with instance_pg as (
select
g ->> 'DBParameterGroupName' as pg_name,
i.engine,
i.title,
i.arn,
i.tags,
i.region,
i.account_id,
i._ctx
from
aws_rds_db_instance as i,
jsonb_array_elements(db_parameter_groups) as g
), pg_with_encryption_in_transit_enabled as (
select
g.name,
g.account_id,
g.region
from
instance_pg as i,
aws_rds_db_parameter_group as g,
jsonb_array_elements(parameters) as p
where
i.pg_name = g.name
and g.account_id = i.account_id
and g.region = i.region
and p ->> 'ParameterName' = 'require_secure_transport'
and p ->> 'ParameterValue' = '1'
)
select
i.arn as resource,
engine,
case
when engine <> 'mariadb' then 'skip'
when p.name is not null then 'ok'
else 'alarm'
end as status,
case
when engine <> 'mariadb' then title || ' is of ' || engine || ' type.'
when p.name is not null then title || ' encryption in transit enabled.'
else title || ' encryption in transit disabled.'
end as reason
, i.region, i.account_id
from
instance_pg as i
left join pg_with_encryption_in_transit_enabled as p on p.name = i.pg_name and p.account_id = i.account_id and p.region = i.region;

Tags