turbot/terraform_aws_compliance

GitHub
apigateway_rest_api_stage_use_ssl_certificateapigateway_rest_api_stage_xray_tracing_enabledapigateway_stage_cache_encryption_at_rest_enabledapigateway_stage_logging_enabledathena_database_encryption_at_rest_enabledathena_workgroup_encryption_at_rest_enabledautoscaling_group_with_lb_use_health_checkautoscaling_launch_config_public_ip_disabledbackup_plan_min_retention_35_dayscloudfront_distribution_configured_with_origin_failovercloudfront_distribution_default_root_object_configuredcloudfront_distribution_encryption_in_transit_enabledcloudfront_distribution_logging_enabledcloudfront_distribution_origin_access_identity_enabledcloudfront_distribution_waf_enabledcloudfront_protocol_version_is_lowcloudtrail_enabled_all_regionscloudtrail_trail_logs_encrypted_with_kms_cmkcloudtrail_trail_validation_enabledcloudwatch_alarm_action_enabledcloudwatch_destination_policy_wildcardscloudwatch_log_group_retention_period_365codebuild_project_encryption_at_rest_enabledcodebuild_project_plaintext_env_variables_no_sensitive_aws_valuescodebuild_project_source_repo_oauth_configuredconfig_aggregator_enabled_all_regionsdax_cluster_encryption_at_rest_enableddms_replication_instance_not_publicly_accessibledocdb_cluster_audit_logs_enableddocdb_cluster_encrypted_with_kmsdynamodb_table_encrypted_with_kms_cmkdynamodb_table_encryption_enableddynamodb_table_point_in_time_recovery_enableddynamodb_vpc_endpoint_routetable_associationebs_attached_volume_encryption_enabledebs_volume_encryption_at_rest_enabledec2_classic_lb_connection_draining_enabledec2_ebs_default_encryption_enabledec2_instance_detailed_monitoring_enabledec2_instance_ebs_optimizedec2_instance_not_publicly_accessibleec2_instance_not_use_default_vpcec2_instance_not_use_multiple_enisec2_instance_termination_protection_enabledec2_instance_uses_imdsv2ecr_repository_encrypted_with_kmsecr_repository_tags_immutableecr_repository_use_image_scanningecs_cluster_container_insights_enabledecs_task_definition_encryption_in_transit_enabledefs_file_system_automatic_backups_enabledefs_file_system_encrypt_data_at_resteks_cluster_endpoint_restrict_public_accesseks_cluster_log_types_enabledeks_cluster_secrets_encryptedelasticache_redis_cluster_automatic_backup_retention_15_dayselasticache_replication_group_encryption_in_transit_enabledelb_application_classic_lb_logging_enabledelb_application_lb_deletion_protection_enabledelb_application_lb_drop_http_headerselb_application_lb_waf_enabledelb_classic_lb_cross_zone_load_balancing_enabledelb_classic_lb_use_ssl_certificateelb_classic_lb_use_tls_https_listenersemr_cluster_kerberos_enabledes_domain_audit_logging_enabledes_domain_data_nodes_min_3es_domain_dedicated_master_nodes_min_3es_domain_encrypted_using_tls_1_2es_domain_encryption_at_rest_enabledes_domain_error_logging_enabledes_domain_in_vpces_domain_logs_to_cloudwatches_domain_node_to_node_encryption_enabledglobalaccelerator_flow_logs_enabledguardduty_enablediam_account_password_policy_min_length_14iam_account_password_policy_one_lowercase_letteriam_account_password_policy_one_numberiam_account_password_policy_one_symboliam_account_password_policy_one_uppercase_letteriam_account_password_policy_reuse_24iam_account_password_policy_strongiam_account_password_policy_strong_min_length_8iam_password_policy_expire_90kinesis_stream_encryption_at_rest_enabledkms_cmk_rotation_enabledlambda_function_concurrent_execution_limit_configuredlambda_function_dead_letter_queue_configuredlambda_function_in_vpclambda_function_use_latest_runtimelambda_function_xray_tracing_enabledlog_group_encryption_at_rest_enabledneptune_cluster_encryption_at_rest_enabledneptune_cluster_logging_enabledrds_db_cluster_aurora_backtracking_enabledrds_db_cluster_copy_tags_to_snapshot_enabledrds_db_cluster_deletion_protection_enabledrds_db_cluster_events_subscriptionrds_db_cluster_iam_authentication_enabledrds_db_cluster_multiple_az_enabledrds_db_instance_and_cluster_enhanced_monitoring_enabledrds_db_instance_and_cluster_no_default_portrds_db_instance_automatic_minor_version_upgrade_enabledrds_db_instance_backup_enabledrds_db_instance_copy_tags_to_snapshot_enabledrds_db_instance_deletion_protection_enabledrds_db_instance_encryption_at_rest_enabledrds_db_instance_events_subscriptionrds_db_instance_iam_authentication_enabledrds_db_instance_logging_enabledrds_db_instance_multiple_az_enabledrds_db_instance_prohibit_public_accessrds_db_parameter_group_events_subscriptionrds_db_security_group_events_subscriptionredshift_cluster_automatic_snapshots_min_7_daysredshift_cluster_automatic_upgrade_major_versions_enabledredshift_cluster_deployed_in_ec2_classic_moderedshift_cluster_encryption_logging_enabledredshift_cluster_enhanced_vpc_routing_enabledredshift_cluster_kms_enabledredshift_cluster_logging_enabledredshift_cluster_maintenance_settings_checkredshift_cluster_prohibit_public_accesss3_bucket_cross_region_replication_enableds3_bucket_default_encryption_enableds3_bucket_default_encryption_enabled_kmss3_bucket_logging_enableds3_bucket_mfa_delete_enableds3_bucket_object_lock_enableds3_bucket_public_access_blockeds3_bucket_versioning_enableds3_public_access_block_accountsagemaker_endpoint_configuration_encryption_at_rest_enabledsagemaker_notebook_instance_direct_internet_access_disabledsagemaker_notebook_instance_encryption_at_rest_enabledsecretsmanager_secret_automatic_rotation_enabledsecretsmanager_secret_automatic_rotation_lambda_enabledsecretsmanager_secret_encrypted_with_kms_cmksns_topic_encrypted_at_restsqs_queue_encrypted_at_restsqs_vpc_endpoint_without_dns_resolutionvpc_default_security_group_restricts_all_trafficvpc_eip_associatedvpc_flow_logs_enabledvpc_igw_attached_to_authorized_vpcvpc_network_acl_unusedvpc_security_group_associated_to_enivpc_security_group_description_for_rulesvpc_security_group_rule_description_for_rulesvpc_subnet_auto_assign_public_ip_disabledworkspace_root_volume_encryption_at_rest_enabledworkspace_user_volume_encryption_at_rest_enabled

Query: rds_db_instance_logging_enabled

Usage

steampipe query terraform_aws_compliance.query.rds_db_instance_logging_enabled

Plugins & Tables

SQL

select
type || ' ' || name as resource,
(arguments -> 'engine') :: text as engine,
case
when (arguments ->> 'engine') :: text like any (array [ 'mariadb', '%mysql' ])
and (arguments -> 'enabled_cloudwatch_logs_exports') is not null
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb < @ '["audit","error","general","slowquery"]' :: jsonb
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb @> '["audit","error","general","slowquery"]' :: jsonb then 'ok'
when (arguments ->> 'engine') :: text like any (array [ '%postgres%' ])
and (arguments -> 'enabled_cloudwatch_logs_exports') is not null
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb < @ '["postgresql","upgrade"]' :: jsonb
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb @> '["postgresql","upgrade"]' :: jsonb then 'ok'
when (arguments ->> 'engine') :: text like 'oracle%'
and (arguments -> 'enabled_cloudwatch_logs_exports') is not null
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb < @ '["alert","audit", "trace","listener"]' :: jsonb
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb @> '["alert","audit", "trace","listener"]' :: jsonb then 'ok'
when (arguments ->> 'engine') :: text = 'sqlserver-ex'
and (arguments -> 'enabled_cloudwatch_logs_exports') is not null
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb < @ '["error"]' :: jsonb
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb @> '["error"]' :: jsonb then 'ok'
when (arguments ->> 'engine') :: text like 'sqlserver%'
and (arguments -> 'enabled_cloudwatch_logs_exports') is not null
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb < @ '["error","agent"]' then 'ok'
else 'alarm'
end as status,
name || case
when (arguments ->> 'engine') :: text like any (array [ 'mariadb', '%mysql' ])
and (arguments -> 'enabled_cloudwatch_logs_exports') is not null
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb < @ '["audit","error","general","slowquery"]' :: jsonb
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb @> '["audit","error","general","slowquery"]' :: jsonb then ' logging enabled'
when (arguments ->> 'engine') :: text like any (array [ '%postgres%' ])
and (arguments -> 'enabled_cloudwatch_logs_exports') is not null
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb < @ '["postgresql","upgrade"]' :: jsonb
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb @> '["postgresql","upgrade"]' :: jsonb then ' logging enabled'
when (arguments ->> 'engine') :: text like 'oracle%'
and (arguments -> 'enabled_cloudwatch_logs_exports') is not null
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb < @ '["alert","audit", "trace","listener"]' :: jsonb
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb @> '["alert","audit", "trace","listener"]' :: jsonb then ' logging enabled'
when (arguments ->> 'engine') :: text = 'sqlserver-ex'
and (arguments -> 'enabled_cloudwatch_logs_exports') is not null
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb < @ '["error"]' :: jsonb
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb @> '["error"]' :: jsonb then ' logging enabled'
when (arguments ->> 'engine') :: text like 'sqlserver%'
and (arguments -> 'enabled_cloudwatch_logs_exports') is not null
and (arguments -> 'enabled_cloudwatch_logs_exports') :: jsonb < @ '["error","agent"]' then ' logging enabled'
else ' logging disabled'
end || '.' as reason,
path || ':' || start_line
from
terraform_resource
where
type = 'aws_db_instance';

Controls

The query is being used by the following controls: