RDSC-4001 Example for RDS Aurora Postgres DB failover #4
Conversation
![jit-ci[bot]](https://avatars.githubusercontent.com/in/142441?s=60&v=4){kind=small}
There was a problem hiding this comment.
❌ Jit has detected 4 important findings in this PR that you should review.
The findings are detailed below as separate comments.
It’s highly recommended that you fix these security issues before merge.
Repository Risks:
- Database Integration: Connects to a database, often involving sensitive data that must be securely managed.
- Internally Accessible: Accessible only within the internal network, reducing exposure to external threats but still requiring proper controls.
- High Severity Findings: Indicates that the resource has high severity security findings that need attention.
Repository Context:
graph LR
GitHub$Repository_U23_redis/rdi_U2D_cloud_U2D_automation["GitHub Repository<br/>redis/rdi-cloud-automation"]:::GitHub$Repository
DBIntegration_U23_postgres["DBIntegration<br/>postgres"]:::DBIntegration
GitHub$Repository_U23_redis/rdi_U2D_cloud_U2D_automation -- "Is accessible to" --> DBIntegration_U23_postgres
| @@ -0,0 +1,61 @@ | |||
| # SNS Topic | |||
| resource "aws_sns_topic" "rdi_failover_topic" { | |||
There was a problem hiding this comment.
Security control: Iac Misconfig Detection Terraform
Sns (Simple Notification Service) Topic Should Be Encrypted
SNS (Simple Notification Service) Topic should be encrypted
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SNS (Simple Notification Service) Topic should be encrypted" in modules/aws-rds-lambda/sns.tf; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| @@ -0,0 +1,34 @@ | |||
| resource "aws_rds_cluster" "postgresql" { | |||
There was a problem hiding this comment.
Security control: Iac Misconfig Detection Terraform
Amazon Aurora Does Not Have Encryption For Data At Rest Enabled. To Prevent Such A Scenario, Update The Attribute 'Storageencrypted' To 'True'.
Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'." in modules/aws-rds-chinook/main.tf; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| @@ -0,0 +1,34 @@ | |||
| resource "aws_rds_cluster" "postgresql" { | |||
There was a problem hiding this comment.
Security control: Iac Misconfig Detection Terraform
Rds Storage Should Be Encrypted, Which Means The Attribute 'Storage Encrypted' Should Be Set To 'True'
RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
Issue Type: MissingAttribute
Expected value: aws_rds_cluster.storage_encrypted should be set to true
Actual value: aws_rds_cluster.storage_encrypted is undefined
| resource "aws_rds_cluster" "postgresql" { | |
| resource "aws_rds_cluster" "postgresql" { | |
| storage_encrypted = true |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'" in modules/aws-rds-chinook/main.tf; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| from_port = var.db_port | ||
| to_port = var.db_port | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] |
There was a problem hiding this comment.
Security control: Iac Misconfig Detection Terraform
Security Groups Allow Ingress From 0.0.0.0:0 And/Or ::/0
Security groups allow ingress from 0.0.0.0:0 and/or ::/0
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
This recipe will modify the ingress rule in the AWS security group to restrict the ingress, changing the 'cidr_blocks' value from '0.0.0.0/0' to a specific CIDR block representing your internal IP range. Make sure to replace 'your-ip-range' with the actual CIDR block relevant to your network.
| cidr_blocks = ["0.0.0.0/0"] | |
| 1your-ip-range2] |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Security groups allow ingress from 0.0.0.0:0 and/or ::/0" in modules/aws-rds-chinook/security.tf; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| subnets = module.rdi_quickstart_postgres.vpc_public_subnets | ||
| target_type = "instance" | ||
| target = module.rdi_quickstart_postgres.instance_id | ||
| targets = [module.rdi_quickstart_postgres.instance_id] |
There was a problem hiding this comment.
Allow 0 or more targets instead of requiring exactly 1. This way we can reuse the module for both examples.
|
Can we update the root README.md please? |
|
Also small nit, but can we rename the examples folder |
Add an example of PrivateLink for RDS Aurora Postgres based on the AWS blog: https://aws.amazon.com/blogs/database/access-amazon-rds-across-vpcs-using-aws-privatelink-and-network-load-balancer/
Additional notes:
psqllocally against the load balancer public hostname./psql.shconnects to the DB via the public LB hostname so we can do demos.