Guides

Ensure Aurora PostgreSQL is not exposed to local file read vulnerability

Ensure that Aurora PostgreSQL instances are not running versions with a known local file read vulnerability.

Suggest Edits

Risk Level: Critical
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.VLN.09
Covered by Spectral: No
Category: Database

GSL LOGIC

RDSDBCluster where status = 'available' and engine = 'aurora-postgresql' should not have engineVersion in('10.11','10.12','10.13','11.6','11.7','11.8')

REMEDIATION

From Portal

  1. Log in to AWS Management Console.
  2. Navigate to RDS service.
  3. Locate vulnerable Aurora PostgreSQL RDSDBClusters.
  4. Modify or patch the RDSDBCluster to a newer, non-vulnerable version.
  5. Ensure changes have been applied.

From TF

resource "aws_rds_cluster" "example" {
	engine_version = "latest_version_here" # Replace with the latest non-vulnerable version
}

From Command Line

  1. Update RDSDBCluster version:
aws rds modify-db-cluster --db-cluster-identifier mydbcluster --engine-version latest_version_here

References

  1. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.modifying.html
  2. https://aws.amazon.com/security/security-bulletins/AWS-2022-004/

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • CloudGuard AWS All Rules Ruleset

Updated about 1 year ago