Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
publicly_accessible parameter to yes.
- name: example1
community.aws.redshift:
identifier: mycluster
command: create
db_name: mydb
node_type: ds1.xlarge
username: "{{ username }}"
password: "{{ password }}"
publicly_accessible: yes
encrypted parameter is set to false.
- name: Basic AMI Creation
amazon.aws.ec2_ami:
state: present
instance_id: i-xxxxxx
name: test_ami
device_mapping:
device_name: /dev/sda
encrypted: false
encrypt parameter is set to no.
- name: EFS provisioning
community.aws.efs:
state: present
name: myTestEFS
encrypt: no
targets:
- subnet_id: subnet-12345678
security_groups: [ "sg-87654321" ]
encryption_state parameter is set to disabled.
- name: Set up Kinesis Stream with 10 shards and wait for the stream to become active
community.aws.kinesis_stream:
name: test-stream
shards: 10
wait: yes
wait_timeout: 600
encryption_state: disabled
register: test_stream
- name: create a log_group in CloudWatchLogs
community.aws.cloudwatchlogs_log_group:
log_group_name: test-log-group
tags: { "Name": "test-log-group", "Env" : "QA" }
enable_log_file_validation parameter is missing.
- name: create a single region cloudtrail
community.aws.cloudtrail:
s3_bucket_name: mylogbucket
s3_key_prefix: cloudtrail
region: us-west-2
publicly_accessible is set to true.
- name: createdb
community.aws.rds_instance:
db_instance_identifier: test-db
engine: aurora
instance_type: db.t2.small
username: "{{ username }}"
password: "{{ password }}"
cluster_id: test-cluster
publicly_accessible: true
"DbSecurity": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon RDS security group",
"DBSecurityGroupIngress": {
"CIDRIP": "0.0.0.0/0"
}
}
}
DbSecurity:
Type: 'AWS::RDS::DBSecurityGroup'
Properties:
GroupDescription: Ingress for Amazon RDS security group
DBSecurityGroupIngress:
CIDRIP: 0.0.0.0/0
BlockPublicPolicy and BlockPublicAcls respectively under an S3 property of PublicAccessBlockConfiguration.RestrictPublicBuckets and IgnorePublicAcls.tls parameter.
Resources:
DocDBDisabledTLS:
Type: AWS::DocDB::DBClusterParameterGroup
Properties:
Description: docdb cluster parameter group
Name: test
Parameters:
tls: "disabled"
ttl_monitor: "enabled"
{
"Resources": {
"ReplicationGroup": {
"Properties": {
"Engine": "redis",
"EngineVersion": "EngineVersion",
"ReplicasPerNodeGroup": "NumReplicas",
"PreferredMaintenanceWindow": "sat:07:00-sat:08:00",
"AtRestEncryptionEnabled": true,
"CacheParameterGroupName": "CacheParameterGroup",
"SecurityGroupIds": [
"SecurityGroup"
],
"SnapshotRetentionLimit": "SnapshotRetentionLimit",
"CacheNodeType": "CacheNodeType",
"CacheSubnetGroupName": "CacheSubnetGroupName",
"NumNodeGroups": "NumShards",
"SnapshotWindow": "00:00-03:00",
"ReplicationGroupDescription": "AWS::StackName"
},
"UpdatePolicy": {
"UseOnlineResharding": true
},
"DeletionPolicy": "Snapshot",
"UpdateReplacePolicy": "Snapshot",
"Type": "AWS::ElastiCache::ReplicationGroup"
}
}
}
Resources:
ReplicationGroup:
DeletionPolicy: Snapshot
UpdateReplacePolicy: Snapshot
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupDescription: !Ref 'AWS::StackName'
AtRestEncryptionEnabled: true
CacheNodeType: !Ref CacheNodeType
CacheParameterGroupName: !Ref CacheParameterGroup
CacheSubnetGroupName: !Ref CacheSubnetGroupName
Engine: redis
EngineVersion: !Ref EngineVersion
NumNodeGroups: !Ref NumShards
ReplicasPerNodeGroup: !Ref NumReplicas
PreferredMaintenanceWindow: 'sat:07:00-sat:08:00'
SecurityGroupIds:
- !Ref SecurityGroup
SnapshotRetentionLimit: !Ref SnapshotRetentionLimit
SnapshotWindow: '00:00-03:00'
UpdatePolicy:
UseOnlineResharding: true
{
"Resources": {
"RedShiftParms": {
"Type": "AWS::Redshift::clusterParameterGroup",
"Properties": {
"Description": "parameter group",
"ParameterGroupFamily": "redshift-1.0",
"Parameters": [
{
"ParameterName": "require_ssl",
"ParameterValue": "false"
}
]
}
}
}
}
Resources:
RedShiftclusterParms:
Type: AWS::Redshift::clusterParameterGroup
Properties:
Description: redshift parameter group
ParameterGroupFamily: redshift-1.0
Parameters:
- ParameterName: "require_ssl"
ParameterValue: "false"
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyLogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": "Service01LogGroup"
}
}
}
}
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: Service01LogGroup
"Resources": {
"RedshiftClusterTest": {
"Properties": {
"NodeType": "dc1.large",
"Port": 5439,
"VpcSecurityGroupIds": [
"${RedshiftSecurityGroup}"
],
"ClusterSubnetGroupName": "RedshiftClusterSubnetGroup",
"ClusterType": "single-node"
"MasterUserPassword": "MasterUserPassword",
"MasterUsername": "MasterUsername",
"DBName": "${DatabaseName}",
"IamRoles": ["RawDataBucketAccessRole.Arn"],
"PubliclyAccessible": true
},
"Type": "AWS::Redshift::Cluster"
}
Resources:
RedshiftClusterTest:
Type: AWS::Redshift::Cluster
Properties:
ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup
ClusterType: single-node
NumberOfNodes: !Ref RedshiftNodeCount
DBName: !Sub ${DatabaseName}
IamRoles:
- !GetAtt RawDataBucketAccessRole.Arn
MasterUserPassword: !Ref MasterUserPassword
MasterUsername: !Ref MasterUsername
PubliclyAccessible: true
NodeType: dc1.large
Port: 5439
VpcSecurityGroupIds:
- !Sub ${RedshiftSecurityGroup}