checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

Check missing for RDS parameter_group using SSL/TLS?

Open dbbc96 opened this issue 1 year ago • 7 comments

It would appear that there are not currently any checks to whether or not TSL/SSL is enforced in RDS in parameter groups. I was looking here: https://www.checkov.io/5.Policy%20Index/terraform.html

I did see one for Redshift but not finding any other references for "parameter_group" and TLS/SSL enforcement. Please let me know if i missed it somewhere.

dbbc96 avatar Aug 28 '23 13:08 dbbc96

hey @dbbc96 thanks for reaching out.

I double checked and I think you are right. We have it for a couple of other services, but not for RDS 😱

gruebel avatar Aug 28 '23 14:08 gruebel

@dbbc96 what parameters do you want to ensure? rds.force_ssl is true? This the default so wed be looking for false? If we do that shall i also add a check that ssl_min_protocol_version is TLSv1.2 while were about it? WDYT?

JamesWoolfenden avatar Aug 31 '23 10:08 JamesWoolfenden

@JamesWoolfenden so it will depend on the engine. for instance mysql is using "require_secure_transport", postgres uses "rds.force_ssl", MSSQL also uses "rds.force.ssl"

but it should check whether it set to "1" or not. which i believe is not set by default.

dbbc96 avatar Sep 06 '23 15:09 dbbc96

@dbbc96 I would like to contribute to this issue. Can you share where exactly you saw the different parameter values that are used by the respective RDS engines. I got the code working for postgres, applying the same logic for others should do it I believe.

@gruebel Could you please assign this issue to me?

ArjunMenon-bit avatar Sep 24 '23 17:09 ArjunMenon-bit

@ArjunMenon-bit

think you can find them here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group

dbbc96 avatar Sep 27 '23 15:09 dbbc96

Is there a branch created for this issue and are you working on this?

terra-conq avatar Nov 01 '23 03:11 terra-conq

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

stale[bot] avatar May 01 '24 14:05 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!

stale[bot] avatar May 17 '24 23:05 stale[bot]

not stale

martu-sf avatar Jun 13 '24 16:06 martu-sf