cloudsploit icon indicating copy to clipboard operation
cloudsploit copied to clipboard
verified publisher icon aquasecurity

AWS – "SQL Server TLS Version" Is Inescapable

Open chrisoverzero opened this issue 4 years ago • 0 comments

The test for "SQL Server TLS Version" picks up default RDS DB Parameter Groups. These DB Parameter Groups cannot be deleted or modified. This means that ever having used SQL Server in the past – even if that use was associated with a different, more secure DB Parameter Group – will cause this scan to fail forever.

I imagine it would be better to scan for DB Parameters Groups which are in-use, rather than simply present. It appears this can be done by:

  • Enumerating DB Instances
  • Filtering on DB Engine's starting with 'sqlserver'
  • Enumerating the DB Parameter Groups therein
  • Selecting the DB Parameter Group Name

…which names can be used as the inputs to the existing parameter value checking.

chrisoverzero avatar Mar 09 '21 19:03 chrisoverzero