Amazon RDS

1.1: Database Storage is not encrypted

πŸ“˜ Unencrypted database storage can lead to unauthorized data breaches, emphasizing the importance of encryption for data safety.

  • Section: Encryption
  • Severity: High
  • CWE: CWE-311 Missing Encryption of Sensitive Data
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Tampering, Information Disclosure
  • Rule Set: Threat Modeling - Cloud Configuration Check

1.2: Database is not encrypted with the Customer Master Key (CMK)

πŸ“˜ Absence of CMK encryption can reduce the security layer of a database, highlighting the need for custom encryption methods.

  • Section: Encryption
  • Severity: High
  • CWE: CWE-653 Insufficient Compartmentalization
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Tampering, Information Disclosure
  • Rule Set: Threat Modeling - Cloud Configuration Check

3.7: AWS RDS Cluster exposed to the Public

πŸ“˜ Publicly exposed RDS clusters increase the risk of unauthorized activities, emphasizing the importance of secure configurations.

  • Section: Public Exposure
  • Severity: Critical
  • CWE: CWE-668 Exposure of Resource to the Wrong Sphere
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Tampering, Information Disclosure
  • Rule Set: Threat Modeling - Cloud Configuration Check

5.3: AWS RDS does not use IAM Database Authentication

πŸ“˜ Lacking IAM Database Authentication can compromise database access control, emphasizing the need for stringent authentication methods.

  • Section: Databases and Datastores
  • Severity: High
  • CWE: CWE-284 Improper Access Control
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Tampering, Information Disclosure
  • Rule Set: Threat Modeling - Cloud Configuration Check

5.4: AWS RDS not in Multi-AZ

πŸ“˜ Single AZ deployments for RDS can cause service disruptions during outages, highlighting the significance of redundancy for uninterrupted service.

  • Section: Databases and Datastores
  • Severity: High
  • CWE: CWE-410 Insufficient Resource Pool
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Denial of Service, Availability
  • Rule Set: Threat Modeling - Cloud Configuration Check

5.7: Amazon RDS database instance does not receive minor database engine upgrades

πŸ“˜ Overlooking minor upgrades can expose the database to known vulnerabilities, underlining the importance of regular updates for performance and safety.

  • Section: Databases and Datastores
  • Severity: Medium
  • CWE: CWE-16 Configuration
  • Assurance Scope: NIST
  • Threat Modeling Principal: Availability
  • Rule Set: Threat Modeling - Cloud Configuration Check

5.8: Amazon RDS cluster uses insufficient retention period

πŸ“˜ An inadequate data retention period might jeopardize essential data recoverability, emphasizing the necessity of apt retention configurations.

  • Section: Databases and Datastores
  • Severity: Medium
  • CWE: CWE-410 Insufficient Resource Pool
  • Assurance Scope: PCI, NIST
  • Threat Modeling Principal: Availability
  • Rule Set: Threat Modeling - Cloud Configuration Check

Updated 5 months ago

What’s Next