id: rds-public-snapshot
info:
  name: RDS Public Snapshot Exposure
  author: princechaddha
  severity: high
  description: |
    Checks if AWS RDS database snapshots are publicly accessible, risking exposure of sensitive data.
  impact: |
    Public snapshots can expose sensitive data to unauthorized users, leading to potential data breaches.
  remediation: |
    Modify the snapshot's visibility settings to ensure it is not public, only shared with specific AWS accounts.
  reference:
    - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html
  metadata:
    max-request: 2
  tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
  region: "ap-northeast-1"

flow: |
  code(1)
  for(let RDPsnaps of iterate(template.snapshots)){
    set("snapshot", RDPsnaps)
    code(2)
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      aws rds describe-db-snapshots  --region $region  --snapshot-type manual  --output json  --query 'DBSnapshots[*].DBSnapshotIdentifier'

    extractors:
      - type: json
        name: snapshots
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
         aws rds describe-db-snapshot-attributes --region $region --db-snapshot-identifier $snapshot  --query 'DBSnapshotAttributesResult.DBSnapshotAttributes'

    matchers:
      - type: word
        words:
          - '"all"'

    extractors:
      - type: dsl
        dsl:
          - '"RDS snapshot " + snapshot + " is public"'
# digest: 490a004630440220406064aac939d4deee904e965a39e74b5b6a866aa0120dc7a3ac03683a464fcb02204c1c229f967d74c64b9b3ebc03c6d31678f471305d10f708528996202549111f:922c64590222798bb761d5b6d8e72950