Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cloud): add the DeletionProtection attribute to the RDS Cluster #1443

Merged
merged 5 commits into from
Sep 5, 2023
Merged

feat(cloud): add the DeletionProtection attribute to the RDS Cluster #1443

merged 5 commits into from
Sep 5, 2023

Conversation

dorayakikun
Copy link
Contributor

@dorayakikun dorayakikun commented Aug 31, 2023
edited by simar7
Loading

Fixes aquasecurity/trivy#5112

motivation

I want to avert some human mistakes in the RDS Cluster, but I can't detect them now.
( Now, I can only detect the RDS instance's deletionProtection. )

For example, the below codes are not working as intended.

deny[res] {
	cluster := input.aws.rds.clusters[_]
        instance := cluster.instances[_]
	not instance.deletionprotection.value
	res := result.new("Cluster does not have Deletion Protection enabled", instance.deletionprotection)
}

So, I would like to add the DeletionProtection attribute to the RDS Cluster.

@CLAassistant
Copy link

CLAassistant commented Aug 31, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@simar7
Copy link
Member

simar7 commented Aug 31, 2023

motivation

I want to avert some human mistakes in the RDS Cluster, but I can't detect them now. ( Now, I can only detect the RDS instance's deletionProtection. )

For example, the below codes are not working as intended.

deny[res] {
	cluster := input.aws.rds.clusters[_]
        instance := cluster.instances[_]
	not instance.deletionprotection.value
	res := result.new("Cluster does not have Deletion Protection enabled", instance.deletionprotection)
}

So, I would like to add the DeletionProtection attribute to the RDS Cluster.

I see. Thanks for the PR. Would you also mind creating a new Rego Rule for the clusters too? It would be similar to this rule we have for instances: https://github.com/aquasecurity/defsec/blob/master/rules/cloud/policies/aws/rds/enable_deletion_protection.rego - I think it could be beneficial for other users too.

simar7
simar7 requested changes Aug 31, 2023
View reviewed changes
Copy link
Member

@simar7 simar7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left a comment and you would also need to run make schema and commit the changes to pass the tests.

@dorayakikun
Copy link
Contributor Author

I appreciate your warm dealing.
I've tried to add docs and policies.

Are these processes correct?
If there are any problems, please let me know.

simar7
simar7 reviewed Sep 1, 2023
View reviewed changes
rules/cloud/policies/aws/rds/enable_cluster_deletion_protection.rego Outdated
Comment on lines 1 to 3
# METADATA
# title: "RDS Deletion Protection Disabled"
# description: "Ensure deletion protection is enabled for RDS database instances."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be changed to adapt for clusters instead of instances.

@simar7 simar7 self-requested a review September 5, 2023 01:23
@simar7 simar7 added this pull request to the merge queue Sep 5, 2023
Merged via the queue into aquasecurity:master with commit ae6078b Sep 5, 2023
9 checks passed
@dorayakikun dorayakikun deleted the feature/rds-cluster-deletionprotection branch September 5, 2023 02:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@dorayakikun @CLAassistant @simar7