Skip to content

AWS RDS Snapshots Are Public

Description

You can share unencrypted manual RDS snapshots as public, which makes the snapshot available to all AWS accounts.

For more information, refer to the RDS Snapshots Documentation.

Rationale

Make sure your RDS snapshots aren't public to avoid exposing internal potentially sensitive information,

Applies To

  • Latest Blob Instances

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type db

Default Rule

const { isEmptyArray } = module

/**
 * @param {Object} blobInstances - database snapshots
 * @returns {boolean} true if database snapshots are not public
 */
function validate(blobInstances) {
    const success = isEmptyArray(blobInstances.values) || 
                    blobInstances.values.every(snap => 
                        snap.configuration &&
                        snap.configuration.aws &&
                        snap.configuration.aws.rds && 
                        snap.configuration.aws.rds.snapshotType !== 'public'
                    )

    return {
        success,
    }
}

// invoke
validate(blobInstances);