Need

Secure storage of confidential information in the database

Context

Description

Resources:
  InsecureDB:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: mydb
      AllocatedStorage: 20
      DBInstanceClass: db.t2.micro
      EngineVersion: "5.7"...

The above CloudFormation template creates an AWS RDS instance with a publicly accessible MySQL database. The database is configured with a username and password, which are directly written in the template as plaintext. This poses a security risk since anyone with access to the CloudFormation template can view the credentials. Additionally, the database instance is publicly accessible, meaning it can be reached from any IP address, making it susceptible to unauthorized access. Furthermore, encryption at rest is not enabled, meaning sensitive data stored in the database is unprotected. These misconfigurations increase the risk of data breaches and unauthorized access.

Resources:
  SecureDB:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: mydb
      AllocatedStorage: 20
      DBInstanceClass: db.t2.micro
      EngineVersion: "5.7"...

The above CloudFormation template mitigates the security risks by: 1. **Disabling Public Access**: The `PubliclyAccessible` property is set to `false` to ensure the database is only accessible within the private network. 2. **Enabling Encryption at Rest**: The `StorageEncrypted` property is set to `true` to ensure data stored in the database is encrypted. 3. **Using AWS Secrets Manager**: Instead of hardcoding credentials, Secrets Manager is used to securely store and retrieve database credentials.

References