Ensure AWS Aurora PostgreSQL is not exposed to local file read vulnerability
Description
This policy checks whether an AWS Aurora PostgreSQL database instance is running on a vulnerable engine version. The rule identifies instances with engine versions '10.11', '10.12', '10.13', '11.6', '11.7', or '11.8', which are exposed to a local file read vulnerability. It is essential to ensure that the database instance is updated to a patched version to prevent potential security breaches. Running on an unpatched version can lead to unauthorized access to sensitive data.
Code Example
terraform
resource "aws_db_instance" "example" {
engine = "aurora-postgresql"
engine_version = "11.9" # or a higher patched version
}Remediation
Upgrade the engine version of the AWS Aurora PostgreSQL database instance to a patched version.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0435 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | aws_db_instance |
| Checkov ID | CKV_AWS_388 |