Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Aurora - Deletion protection is at cluster level and not DB instance level - foundational security logic should be updated #400

Closed
twratl opened this issue May 26, 2022 · 1 comment · Fixed by #401
Closed

Aurora - Deletion protection is at cluster level and not DB instance level - foundational security logic should be updated #400

twratl opened this issue May 26, 2022 · 1 comment · Fixed by #401
Assignees
@rajlearner17
Labels
bug Something isn't working

Comments

@twratl
Copy link

twratl commented May 26, 2022
edited
Loading

Describe the bug
I am seeing some controls in alarm status for "RDS DB instances should have deletion protection enabled" for instances which are part of an Aurora cluster. For Aurora, deletion protection is only at the cluster level.

Steampipe version (steampipe -v)
0.14.5

Plugin version (steampipe plugin list)
0.60.0

To reproduce
steampipe check benchmark.foundational_security_rds in an account/region with Aurora clusters and the cluster has deletion protection enabled.

Expected behavior
Ignore "RDS DB instances should have deletion protection enabled" control if the instance is part of an Aurora cluster.
@twratl twratl added the bug Something isn't working label May 26, 2022
@rajlearner17 rajlearner17 self-assigned this May 27, 2022
@rajlearner17
Copy link
Contributor

Hi, @twratl Thanks for notifying this!
Additionally, I see the same behaviour may apply to Neptune DB instances and Amazon DocumentDB clusters.

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-7
https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-deletion-protection-enabled.html

I think we can skip these DB engines based on the engine type. We will make the change in query and release it in the upcoming schedule.

rajlearner17 added a commit that referenced this issue May 30, 2022
@rajlearner17
Aurora - Deletion protection is at cluster level and not DB instance …
174f53b 
…level - foundational security logic should be updated Closes #400
@rajlearner17 rajlearner17 linked a pull request May 30, 2022 that will close this issue
Aurora - Deletion protection is at cluster level and not DB instance level - foundational security logic should be updated Closes #400 #401
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rajlearner17 rajlearner17

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@twratl @rajlearner17