checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

CKV_AWS_139 - RDS cluster deletion protection

Open gruebel opened this issue 3 years ago • 8 comments

Is your feature request related to a problem? Please describe. I think it is great to check, if deletion protection is enabled or not, but is there a reason, why it is only checking for aws_rds_cluster and not includes aws_db_instance? They are quite similar.

I'm happy to either extend this check to include DB instances or add a new one to check separately for them.

Additional context https://github.com/bridgecrewio/checkov/blob/caafcbb83d6901b57c9a39464673670c150f0a33/checkov/terraform/checks/resource/aws/RDSDeletionProtection.py#L7-L15

gruebel avatar Apr 13 '21 20:04 gruebel

Hi @gruebel !

The reason behind this decision is that compute sizes might need to change, and removing compute resources does not endanger the cluster. In essence, a cluster saves the your data if it has 0 instances. So to preserve data we recommend enabling deletion protection on those clusters. On the instances - it might just make it harder to scale that way

nimrodkor avatar Apr 15 '21 16:04 nimrodkor

@nimrodkor sure, that makes sense, but I'm not talking about cluster instances, which are aws_rds_cluster_instance. I mean the good old single or multi-az instances aws_db_instance.

gruebel avatar Apr 15 '21 16:04 gruebel

@gruebel Me neither :) I'm talking about the cluster (aws_rds_cluster) vs any instance (aws_rds_cluster_instance / aws_db_instance) The cluster should have deletion protection. The instance is replaceable - and enabling deletion protection on it can be limiting for no good security reason

nimrodkor avatar Apr 18 '21 07:04 nimrodkor

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Jun 25 '22 19:06 stale[bot]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Dec 23 '22 11:12 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Jan 06 '23 23:01 stale[bot]

I am interested in this issue, could you assign this issue to me please?

brandon-bb avatar Jan 14 '23 10:01 brandon-bb

hey @CrypticBantu sure go ahead 🙂 here you can find the related test file https://github.com/bridgecrewio/checkov/blob/main/tests/terraform/checks/resource/aws/test_RDSDeletionProtection.py

gruebel avatar Jan 14 '23 11:01 gruebel