RDS instances should be encrypted (AWS-managed or customer-managed KMS CMKs)


Encrypting your RDS DB instances provides an extra layer of security by securing your data from unauthorized access.

Remediation Steps

AWS Console

  • You cannot modify an existing database to enable encryption. You need to migrate to a new RDS instance. Navigate to RDS.

  • In the left navigation, select Snapshots.

  • Create a database snapshot.

  • Make a copy of the snapshot and make sure to enable encryption.


  • List all RDS instances:

    • aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'

  • Check if each RDS instance is encrypted:

    • aws rds describe-db-instances --db-instance-identifier <instance name> --query 'DBInstances[*].StorageEncrypted'

  • If an instance shows “false”, create a snapshot of it:

    • aws rds create-db-snapshot --db-instance-identifier <instance name> --db-snapshot-identifier <name of new snapshot>

  • Make an encrypted copy of the snapshot:

    • aws rds copy-db-snapshot --source-db-snapshot-identifier <instance name> --target-db-snapshot-identifier <new name of second snapshot> --kms-key-id <arn of RDS master key>

  • Restore snapshot to new database instance:

    • aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new db instance name> --db-snapshot-identifier <name of second snapshot>

  • Point your application to the new database instance.


  • Ensure that the aws_db_instance or aws_rds_cluster storage_encrypted field is set to true. If encrypting with a customer-managed KMS key, kms_key_id should be set to the ARN of the key.

Example Configuration

resource "aws_db_instance" "main" {
  storage_encrypted    = true
  # other required fields here
resource "aws_rds_cluster" "main" {
  storage_encrypted       = true
  # other required fields here