Need

Enhancement of authorization controls for web services - RDS

Context

• Usage of Terraform for Infrastructure as Code (IaC)
• Usage of AWS SDK for interacting with Amazon Web Services

Description

Non compliant code

        provider "aws" {
  region = "us-west-2"
}

resource "aws_db_instance" "default" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "default.mysql5.7"
  publicly_accessible  = true
}
        
        

The above Terraform script creates a MySQL RDS instance on AWS. The publicly_accessible parameter is set to true, which means this RDS instance is accessible from the internet. This is a significant security risk as it exposes the database to potential unauthorized access. If the credentials for the database were to be compromised (e.g., through a brute force attack), an attacker could gain full access to the data stored in the RDS instance.

The aws_db_instance resource block specifies the properties of the RDS instance. The publicly_accessible parameter determines whether the RDS instance has a public IP address. By setting this parameter to true, the RDS instance is assigned a public IP address and can be accessed from outside of the VPC, which is not recommended for production environments due to the associated security risks.

The username and password parameters specify the credentials used to connect to the RDS instance. In this case, the credentials are hardcoded into the Terraform script, which is also a bad practice as it exposes sensitive information in plain text. This could lead to unauthorized access if the script were to be compromised.

Steps

• Disable public accessibility for the RDS instance
• Configure proper authentication and authorization mechanisms for accessing the RDS instance
• Ensure that only authenticated and authorized users and roles can access the RDS instance

Compliant code

        provider "aws" {
  region = "us-west-2"
}

resource "aws_db_instance" "default" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "default.mysql5.7"
  publicly_accessible  = false
}
        
        

The above code is a Terraform script for creating an AWS RDS instance. The vulnerability in the original code was that the RDS instance was publicly accessible, which could potentially compromise the stored information.

The fix for this vulnerability is to set the publicly_accessible attribute to false. This ensures that the RDS instance is not publicly accessible over the internet, and can only be accessed within the VPC it is deployed in.

In addition to this, it is also recommended to configure proper authentication and authorization mechanisms for accessing the RDS instance. This can be done by managing AWS IAM roles and policies, and ensuring that only authenticated and authorized users and roles can access the RDS instance.

Please note that the username and password in the script should be replaced with secure values, and should ideally be fetched from a secure secret management system instead of being hardcoded in the script.

References

• 073. Improper authorization control for web services - RDS