Control: RDS for MariaDB DB instances should be encrypted in transit
Description
This control checks whether connections to an Amazon RDS for MariaDB DB instance are encrypted in transit. The control fails if the DB parameter group associated with the DB instance is not in sync, or the require_secure_transport parameter of the parameter group is not set to ON.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.rds_db_instance_mariadb_encryption_in_transit_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.rds_db_instance_mariadb_encryption_in_transit_enabled --share
SQL
This control uses a named query:
with instance_pg as ( select g ->> 'DBParameterGroupName' as pg_name, i.engine, i.title, i.arn, i.tags, i.region, i.account_id, i._ctx from aws_rds_db_instance as i, jsonb_array_elements(db_parameter_groups) as g), pg_with_encryption_in_transit_enabled as ( select g.name, g.account_id, g.region from instance_pg as i, aws_rds_db_parameter_group as g, jsonb_array_elements(parameters) as p where i.pg_name = g.name and g.account_id = i.account_id and g.region = i.region and p ->> 'ParameterName' = 'require_secure_transport' and p ->> 'ParameterValue' = '1')select i.arn as resource, engine, case when engine <> 'mariadb' then 'skip' when p.name is not null then 'ok' else 'alarm' end as status, case when engine <> 'mariadb' then title || ' is of ' || engine || ' type.' when p.name is not null then title || ' encryption in transit enabled.' else title || ' encryption in transit disabled.' end as reason , i.region, i.account_idfrom instance_pg as i left join pg_with_encryption_in_transit_enabled as p on p.name = i.pg_name and p.account_id = i.account_id and p.region = i.region;