Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 44 RDS for MariaDB DB instances should be encrypted in transit

Description

This control checks whether connections to an Amazon RDS for MariaDB DB instance are encrypted in transit. The control fails if the DB parameter group associated with the DB instance is not in sync, or the require_secure_transport parameter of the parameter group is not set to ON.

Note: This control doesn't evaluate Amazon RDS DB instances that use MariaDB versions earlier than version 10.5. The require_secure_transport parameter is supported only for MariaDB versions 10.5 and later.

Data in transit refers to data that moves from one location to another, such as between nodes in a DB cluster or between a DB cluster and a client application. Data can move across the internet or within a private network. Encrypting data in transit reduces the risk of unauthorized users eavesdropping on network traffic.

Remediation

For information about enabling SSL/TLS for connections to an Amazon RDS for MariaDB DB instance, see Requiring SSL/TLS for all connections to a MariaDB DB instance in the Amazon Relational Database Service User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_44

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_44 --share

SQL

This control uses a named query:

 with instance_pg as (
  select
    g ->> 'DBParameterGroupName' as pg_name,
    i.engine,
    i.title,
    i.arn,
    i.tags,
    i.region,
    i.account_id,
    i._ctx
  from
    aws_rds_db_instance as i,
    jsonb_array_elements(db_parameter_groups) as g
), pg_with_encryption_in_transit_enabled as (
  select
    g.name,
    g.account_id,
    g.region
  from
    instance_pg as i,
    aws_rds_db_parameter_group as g,
    jsonb_array_elements(parameters) as p
  where
    i.pg_name = g.name
    and g.account_id = i.account_id
    and g.region = i.region
    and p ->> 'ParameterName' = 'require_secure_transport'
    and p ->> 'ParameterValue' = '1'
)
select
  i.arn as resource,
  engine,
  case
    when engine <> 'mariadb' then 'skip'
    when p.name is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when engine <> 'mariadb' then title || ' is of ' || engine || ' type.'
    when p.name is not null then title || ' encryption in transit enabled.'
    else title || ' encryption in transit disabled.'
  end as reason
  
  , i.region, i.account_id
from
  instance_pg as i
  left join pg_with_encryption_in_transit_enabled as p on p.name = i.pg_name and p.account_id = i.account_id and p.region = i.region;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_in_transit
foundational_security_item_id = rds_44
plugin = aws
service = AWS/RDS