feat(misconf): Add Support for skip_final_snapshot in RDS clusters #5147
Assignees
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
scan/misconfiguration
Issues relating to misconfiguration scanning
Milestone
Comments
simar7
added
kind/feature
|
fixed via aquasecurity/defsec#1449 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Discussed in #5130
Originally posted by dorayakikun September 6, 2023
Description
Abstract
I want to detect some resources which set
skip_final_snapshot = truein terraform resources by trivy's custom policy.Motivation
When destroying an RDS Cluster with Terraform, the backup of the entire cluster is deleted even if the Backup function is enabled.
In the above cases, permanent data loss is risky if recreation is unintentionally performed. (*)
*Automatic backups on cluster deletion have recently been released, but these have not yet been implemented in the terraform aws provider.https://aws.amazon.com/about-aws/whats-new/2023/08/amazon-aurora-automatic-backup-deleted-clusters/
To avoid this situation, I want to use rego to detect resources with
skip_final_snapshot = true.Proposal
I'm considering creating the below codes.
https://github.com/dorayakikun/defsec/commit/bd9efe9e726d63f9b9f1dcbffa7a12e57f7f154c
Concern
skip_final_snapshotis a particular property.Adding implementations to AWS Adapters and CloudFormation Adapters makes it difficult.
(I'm concerned that it will always be set to
false.)I am concerned that this violates defsec's design policy.
If you have any other better ideas, please let me know!
Target
AWS
Scanner
Misconfiguration
The text was updated successfully, but these errors were encountered: