fluidasserts.cloud.aws.cloudformation.rds module

AWS CloudFormation checks for RDS (Relational Database Service).

Some rules were taken from CFN_NAG

fluidasserts.cloud.aws.cloudformation.rds.has_not_automated_backups(path, exclude=None)

Check if any DBCluster or DBInstance have not automated backups.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if BackupRetentionPeriod attribute is set to 0.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.rds.has_not_termination_protection(path, exclude=None)

Check if RDS clusters and instances have termination protection.

By default RDS Clusters and Instances can be terminated using the Amazon EC2 console, CLI, or API.

This is not desirable if the termination is done unintentionally because DB Snapshots and Automated Backups are deleted automatically after some time (or immediately in some cases) which make cause data lost and service interruption.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if the instance or cluster have not the DeletionProtection parameter set to true.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.rds.has_unencrypted_storage(path, exclude=None)

Check if any DBCluster or DBInstance use unencrypted storage.

The following checks are performed:

  • F26 RDS DBCluster should have StorageEncrypted enabled

  • F27 RDS DBInstance should have StorageEncrypted enabled

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if StorageEncrypted attribute is set to false.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.rds.is_not_inside_a_db_subnet_group(path, exclude=None)

Check if DBInstance or DBCluster are not inside a DB Subnet Group.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if DBSubnetGroupName attribute is not set.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.rds.is_publicly_accessible(path, exclude=None)

Check if any RDS::DBInstance is Internet facing (a.k.a. public).

The following checks are performed:

  • F22 RDS instance should not be publicly accessible

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if PubliclyAccessible attribute is set to true.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result