Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: AWS.RDS.DataSecurity.High.0414 / AC_AWS_0058 #1135

Closed
jrobison-sb opened this issue Feb 2, 2022 · 0 comments · Fixed by #1156
Closed

False positive: AWS.RDS.DataSecurity.High.0414 / AC_AWS_0058 #1135

jrobison-sb opened this issue Feb 2, 2022 · 0 comments · Fixed by #1156
Assignees
@gaurav-gogia
Labels
policy Issue concerning policy maintainers.

Comments

@jrobison-sb
Copy link
Contributor

  • terrascan version:
$ terrascan version
version: v1.13.0
  • Operating System:
    OSX

Description

AWS.RDS.DataSecurity.High.0414 / AC_AWS_0058 triggers a false positive when storage_encrypted = true and kms_key_id = null.

What I Did

resource "aws_db_instance" "example" {
  # minimum required attributes
  allocated_storage   = 20
  engine              = "postgres"
  instance_class      = "db.t3.micro"
  skip_final_snapshot = true
  password            = "REDACTED"
  username            = "postgres"

  # enable encryption
  storage_encrypted = true
}

$ aws rds describe-db-instances --db-instance-identifier terraform-20220202160946474400000001 | grep 'StorageEncrypted\|KmsKeyId'

            "StorageEncrypted": true,
            "KmsKeyId": "arn:aws:kms:us-east-1:1234567890:key/abcdefgh",

$ terrascan scan -i terraform -f ../../modules/aws/application/aws_db_instance_with_encryption.tf --scan-rules AWS.RDS.DataSecurity.High.0414
2022-02-02T11:18:32.879-0500	warn	filters/filter-specs.go:75	Deprecation warning : Use 'id' (AC_AWS_0058) instead of 'reference_id' (AWS.RDS.DataSecurity.High.0414) to skip/scan rules


Violation Details -
    
	Description    :	Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.
	File           :	aws_db_instance_with_encryption.tf
	Module Name    :	root
	Line           :	1
	Severity       :	HIGH

Screen Shot 2022-02-02 at 11 30 33 AM
@gaurav-gogia gaurav-gogia self-assigned this Feb 16, 2022
@gaurav-gogia gaurav-gogia added the policy Issue concerning policy maintainers. label Feb 16, 2022
gaurav-gogia added a commit to gaurav-gogia/terrascan that referenced this issue Feb 17, 2022
@gaurav-gogia
fix rds encryptionc check policy
7aa0dc4 
issue tenable#1135
@gaurav-gogia gaurav-gogia mentioned this issue Feb 17, 2022
Merged
@gaurav-gogia gaurav-gogia linked a pull request Feb 17, 2022 that will close this issue
fix rds encryptionc check policy #1156
Merged
harkirat22 pushed a commit that referenced this issue Feb 18, 2022
@gaurav-gogia
fix rds encryptionc check policy (#1156)
c8234f4 
issue #1135
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gaurav-gogia gaurav-gogia

Labels
policy Issue concerning policy maintainers.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix rds encryptionc check policy gaurav-gogia/terrascan
2 participants
@gaurav-gogia @jrobison-sb