Json Yaml Missing Db Subnet Group Name

Description

Detects when RDS database instances or clusters in AWS CloudFormation templates are not configured with a DB subnet group. Without a DB subnet group, the RDS resource is not properly isolated in specific VPC subnets, potentially exposing the database to a broader network than intended and violating networking security best practices.

Weakness:

109 - Unrestricted access between network segments - RDS

Category: Functionality Abuse

Detection Strategy

• Identifies AWS::RDS::DBInstance or AWS::RDS::DBCluster resources in CloudFormation templates

• Checks if the resource Properties section exists

• Verifies if the DBSubnetGroupName property is missing from the resource configuration

• Reports a vulnerability if an RDS instance or cluster is found without a DB subnet group specified

Vulnerable code example

Resources:
  MyRDSCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      Engine: aurora
      MasterUsername: !Ref username
      MasterUserPassword: !Ref password
      StorageEncrypted: true...

✅ Secure code example

Resources:
  MyRDSCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      Engine: aurora
      MasterUsername: !Ref username
      MasterUserPassword: !Ref password
      StorageEncrypted: true...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.