Terraform Missing Db Subnet Group
Description
Identifies AWS RDS database instances and clusters that are not configured with a subnet group. Missing subnet groups can expose databases beyond their intended network boundaries, potentially allowing unauthorized access from unintended networks.
Detection Strategy
• Check for AWS resource definitions of type 'aws_rds_cluster' or 'aws_db_instance' in Terraform configurations
• Verify if the 'db_subnet_group_name' attribute is missing or undefined for these database resources
• Report a vulnerability if a database resource is found without an associated subnet group configuration
Vulnerable code example
resource "aws_db_instance" "default" {
publicly_accessible = false # Not enough to secure instance without proper network controls
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "foo"...✅ Secure code example
resource "aws_db_subnet_group" "rds_private" {
name = "rds-private"
subnet_ids = var.private_subnet_ids # Place RDS in private subnets only
tags = { Name = "rds-private" }
}
resource "aws_db_instance" "default" {
identifier = "prod-db-${var.environment}" # Structured naming convention...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.