π§ AWS RDS Snapshot is publicly accessible - prod.logic.yaml π’
- Contextual name: π§ prod.logic.yaml π’
- ID:
/ce/ca/aws/rds/snapshot-publicly-accessible/prod.logic.yaml - Located in: π AWS RDS Snapshot is publicly accessible π’
Flagsβ
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Input Typeβ
| Type | API Name | Extracts | Extract Files | Logic Files | |
|---|---|---|---|---|---|
| π | π AWS RDS Snapshot | CA10__CaAwsDbSnapshot__c | 4 | 1 | 1 |
Usesβ
Test Results π’β
Generated at: 2025-04-24T23:45:06.933900665Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ extract('CA10__encrypted__c') == true | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ extract('CA10__snapshotType__c') == 'automated' || extract('CA10__snapshotType__c') == 'awsbackup' | βοΈ null |
| π’ | test4 | βοΈ 399 | βοΈ extract('CA10__snapshotType__c') == 'public' | βοΈ null |
| π’ | test5 | βοΈ 401 | βοΈ CA10__attributesJson__c.delegatedTo(CA10__attributesJson__c).isEmpty() | βοΈ null |
| π’ | test6 | βοΈ 499 | βοΈ extract('caJsonFrom__attributesJson__c').jsonQueryText('to_string(restore[0])') == 'all' | βοΈ null |
| π’ | test7 | βοΈ 500 | βοΈ otherwise | βοΈ null |
| π’ | test8 | βοΈ 500 | βοΈ otherwise | βοΈ null |
Generationβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/rds/snapshot-publicly-accessible/policy.yaml | 6D60AC2FE0D7FC6DC4658EE132A35FB3 |
| Open | /ce/ca/aws/rds/snapshot-publicly-accessible/prod.logic.yaml | FB926F9ED434E1BEBE1917C3B2E91EA4 |
| Open | /ce/ca/aws/rds/snapshot-publicly-accessible/test-data.json | F925F0C16F8C3C8D5244C998646C0A4E |
| Open | /types/CA10__CaAwsDbSnapshot__c/object.extracts.yaml | E565EC7B175FE1579DD0C2940700B20F |
Generate FULL scriptβ
java -jar repo-manager.jar policies generate FULL /ce/ca/aws/rds/snapshot-publicly-accessible/prod.logic.yaml
Generate DEBUG scriptβ
java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/rds/snapshot-publicly-accessible/prod.logic.yaml
Generate CAPTURE_TEST_DATA scriptβ
java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/rds/snapshot-publicly-accessible/prod.logic.yaml
Generate TESTS scriptβ
java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/rds/snapshot-publicly-accessible/prod.logic.yaml
Execute testsβ
java -jar repo-manager.jar policies test /ce/ca/aws/rds/snapshot-publicly-accessible/prod.logic.yaml
Contentβ
---
inputType: CA10__CaAwsDbSnapshot__c
importExtracts:
- file: "/types/CA10__CaAwsDbSnapshot__c/object.extracts.yaml"
testData:
- file: "test-data.json"
conditions:
- status: INAPPLICABLE
currentStateMessage: Encrypted RDS Snapshots cannot be public # cannot be set to restore:all
check:
IS_EQUAL:
left:
EXTRACT: CA10__encrypted__c
right:
BOOLEAN: true
- status: INAPPLICABLE
currentStateMessage: RDS Snapshots created automatically or via AWS Backup Service cannot be public
check:
OR:
args:
- IS_EQUAL:
left:
EXTRACT: CA10__snapshotType__c
right:
TEXT: automated
- IS_EQUAL:
left:
EXTRACT: CA10__snapshotType__c
right:
TEXT: awsbackup
- status: INCOMPLIANT
currentStateMessage: RDS Snapshot is publicly accessible
remediationMessage: Consider making the snapshot completely private or scoping the access to a subset of AWS Accounts.
check:
IS_EQUAL:
left:
EXTRACT: CA10__snapshotType__c
right:
TEXT: public
# TODO: modify the INCOMPLIANT status logic to use map ops when released.
- status: INCOMPLIANT
currentStateMessage: RDS snapshot is publicly accessible
remediationMessage: Consider making the snapshot completely private or scoping the access to a subset of AWS Accounts.
check:
IS_EQUAL:
left:
JSON_QUERY_TEXT:
arg:
EXTRACT: caJsonFrom__attributesJson__c
expression: "to_string(restore[0])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return text type."
right:
TEXT: "all"
otherwise:
status: COMPLIANT
currentStateMessage: RDS snapshot is not publicly accessible