turbot/steampipe-mod-aws-compliance

Control: RDS for MariaDB DB instances should be encrypted in transit

Description

This control checks whether connections to an Amazon RDS for MariaDB DB instance are encrypted in transit. The control fails if the DB parameter group associated with the DB instance is not in sync, or the require_secure_transport parameter of the parameter group is not set to ON.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.rds_db_instance_mariadb_encryption_in_transit_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.rds_db_instance_mariadb_encryption_in_transit_enabled --share

SQL

This control uses a named query:

with instance_pg as (
select
g ->> 'DBParameterGroupName' as pg_name,
i.engine,
i.title,
i.arn,
i.tags,
i.region,
i.account_id,
i._ctx
from
aws_rds_db_instance as i,
jsonb_array_elements(db_parameter_groups) as g
), pg_with_encryption_in_transit_enabled as (
select
g.name,
g.account_id,
g.region
from
instance_pg as i,
aws_rds_db_parameter_group as g,
jsonb_array_elements(parameters) as p
where
i.pg_name = g.name
and g.account_id = i.account_id
and g.region = i.region
and p ->> 'ParameterName' = 'require_secure_transport'
and p ->> 'ParameterValue' = '1'
)
select
i.arn as resource,
engine,
case
when engine <> 'mariadb' then 'skip'
when p.name is not null then 'ok'
else 'alarm'
end as status,
case
when engine <> 'mariadb' then title || ' is of ' || engine || ' type.'
when p.name is not null then title || ' encryption in transit enabled.'
else title || ' encryption in transit disabled.'
end as reason
, i.region, i.account_id
from
instance_pg as i
left join pg_with_encryption_in_transit_enabled as p on p.name = i.pg_name and p.account_id = i.account_id and p.region = i.region;

Tags