logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Improper authorization control for web services - RDS - Aws

Need

Enhancement of authorization controls for web services - RDS

Context

  1. Usage of Terraform for Infrastructure as Code (IaC)
  2. Usage of AWS SDK for interacting with Amazon Web Services

Description

Insecure Code Example

provider "aws" {
  region = "us-west-2"
}

resource "aws_db_instance" "default" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "default.mysql5.7"
  publicly_accessible  = true
}

The above Terraform script creates a MySQL RDS instance on AWS. The `publicly_accessible` parameter is set to `true`, which means this RDS instance is accessible from the internet. This is a significant security risk as it exposes the database to potential unauthorized access. If the credentials for the database were to be compromised (e.g., through a brute force attack), an attacker could gain full access to the data stored in the RDS instance. The `aws_db_instance` resource block specifies the properties of the RDS instance. The `publicly_accessible` parameter determines whether the RDS instance has a public IP address. By setting this parameter to `true`, the RDS instance is assigned a public IP address and can be accessed from outside of the VPC, which is not recommended for production environments due to the associated security risks. The `username` and `password` parameters specify the credentials used to connect to the RDS instance. In this case, the credentials are hardcoded into the Terraform script, which is also a bad practice as it exposes sensitive information in plain text. This could lead to unauthorized access if the script were to be compromised.

Steps

  1. Disable public accessibility for the RDS instance
  2. Configure proper authentication and authorization mechanisms for accessing the RDS instance
  3. Ensure that only authenticated and authorized users and roles can access the RDS instance

Secure Code Example

provider "aws" {
  region = "us-west-2"
}

resource "aws_db_instance" "default" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "default.mysql5.7"
  publicly_accessible  = false
}

The above code is a Terraform script for creating an AWS RDS instance. The vulnerability in the original code was that the RDS instance was publicly accessible, which could potentially compromise the stored information. The fix for this vulnerability is to set the `publicly_accessible` attribute to `false`. This ensures that the RDS instance is not publicly accessible over the internet, and can only be accessed within the VPC it is deployed in. In addition to this, it is also recommended to configure proper authentication and authorization mechanisms for accessing the RDS instance. This can be done by managing AWS IAM roles and policies, and ensuring that only authenticated and authorized users and roles can access the RDS instance. Please note that the `username` and `password` in the script should be replaced with secure values, and should ideally be fetched from a secure secret management system instead of being hardcoded in the script.

References

  • 073 - Improper authorization control for web services - RDS

    • Last updated

    2023/09/18