Json Yaml Storage Encrypted False
Description
Detects AWS RDS database resources in CloudFormation templates that are configured without encrypted storage. Unencrypted database storage poses a security risk as sensitive data could be exposed if the storage media is compromised.
Detection Strategy
• Scan CloudFormation template files for RDS resource definitions (AWS::RDS::DBCluster or AWS::RDS::DBInstance)
• Check if the resource has storage encryption explicitly disabled or missing
• Flag resources that don't have encryption enabled as security vulnerabilities
• Report the specific location in the CloudFormation template where the unencrypted RDS resource is defined
Vulnerable code example
{
"Resources": {
"RDSCluster": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"Engine": "aurora",
"MasterUsername": { "Ref": "username" }, # Sensitive credential parameter
"MasterUserPassword": { "Ref": "password" }, # Sensitive credential parameter...✅ Secure code example
{
"Resources": {
"RDSCluster": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"Engine": "aurora",
"MasterUsername": { "Ref": "username" },
"MasterUserPassword": { "Ref": "password" },...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.