Skip to content

Commit

Permalink
Update rules metadata before new release (#3570)
Browse files Browse the repository at this point in the history
  • Loading branch information
ilia-kebets-sonarsource authored Nov 22, 2022
1 parent 6357df7 commit 18fcf3b
Show file tree
Hide file tree
Showing 6 changed files with 18 additions and 10 deletions.
2 changes: 1 addition & 1 deletion css-sonarpedia/sonarpedia.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"languages": [
"CSS"
],
"latest-update": "2022-11-03T12:53:02.211603Z",
"latest-update": "2022-11-22T14:32:56.265429Z",
"options": {
"no-language-in-filenames": true
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<p>Encryption operations should use a secure mode and padding scheme so that confidentiality and integrity can be guaranteed.</p>
<p>Encryption algorithms should use secure modes and padding schemes where appropriate to guarantee data confidentiality and integrity.</p>
<ul>
<li> For block cipher encryption algorithms (like AES):
<ul>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,15 +1,20 @@
<p>Amazon Relational Database Service (RDS) allows to easily host and manage a relational database in the cloud. RDS databases can be encrypted,
ensuring the security of data-at-rest. In the case that adversaries gain physical access to the storage medium they are not able to access the
data.</p>
<p>Using unencrypted RDS DB resources exposes data to unauthorized access to the underlying storage.<br> This includes database data, logs, automatic
backups, read replicas, snapshots, and cluster metadata.</p>
<p>This situation can occur in a variety of scenarios, such as:</p>
<ul>
<li> a malicious insider working at the cloud provider gains physical access to the storage device and exfiltrates data. </li>
<li> unknown attackers penetrate the cloud provider’s logical infrastructure and systems for extortion. </li>
</ul>
<p>AWS-managed encryption at rest reduces this risk with a simple switch.</p>
<h2>Ask Yourself Whether</h2>
<ul>
<li> The database contains sensitive data that could cause harm when leaked. </li>
<li> There are compliance requirements for the service to store data encrypted. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It’s recommended to encrypt databases that contain sensitive information. Encryption and decryption are handled transparently by RDS, so no further
modifications to the application are necessary.</p>
<p>It is recommended to enable encryption at rest on any RDS DB resource, regardless of the engine.<br> In any case, no further maintenance is
required as encryption at rest is fully managed by AWS.</p>
<h2>Sensitive Code Example</h2>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html"><code>aws-cdk-lib.aws_rds.CfnDBCluster</code></a>:</p>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"title": "Using unencrypted RDS databases is security-sensitive",
"title": "Using unencrypted RDS DB resources is security-sensitive",
"type": "SECURITY_HOTSPOT",
"status": "ready",
"remediation": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,10 @@ <h2>Compliant Solution</h2>
})
</pre>
<h2>Exceptions</h2>
<p>No issue is reported when on Key policies in AWS KMS.</p>
<ul>
<li> Should not be raised on key policies (when AWS KMS actions are used.) </li>
<li> Should not be raised on policies not using any resources (if and only if all actions in the policy never require resources.) </li>
</ul>
<h2>See</h2>
<ul>
<li> <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">OWASP Top 10 2021 Category A1</a> - Broken Access Control </li>
Expand Down
2 changes: 1 addition & 1 deletion sonarpedia.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"languages": [
"JS"
],
"latest-update": "2022-11-03T12:52:58.188044Z",
"latest-update": "2022-11-22T14:32:35.766299Z",
"options": {
"no-language-in-filenames": true,
"preserve-filenames": true
Expand Down

0 comments on commit 18fcf3b

Please sign in to comment.