RDS instances and Aurora DB clusters should be encrypted¶
Description¶
Encrypting your RDS DB instances and Aurora DB clusters provides an extra layer of security by securing your data from unauthorized access. You have the option of using an AWS managed or customer managed KMS key for this purpose.
Note
This rule evaluates RDS DB instances and Aurora DB clusters.
Remediation Steps¶
AWS Console¶
You cannot modify an existing database or Aurora database cluster to enable encryption. You need to migrate to a new RDS instance. Navigate to RDS.
In the left navigation, select Snapshots.
Create a database snapshot.
Make a copy of the snapshot and make sure to enable encryption.
AWS CLI¶
To enable encryption on your RDS DB instance:
List all RDS DB instances:
aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'
Check if each RDS instance is encrypted:
aws rds describe-db-instances --db-instance-identifier <instance name> --query 'DBInstances[*].StorageEncrypted'
If an instance shows “false”, create a snapshot of it:
aws rds create-db-snapshot --db-instance-identifier <instance name> --db-snapshot-identifier <name of new snapshot>
Make an encrypted copy of the snapshot:
aws rds copy-db-snapshot --source-db-snapshot-identifier <instance name> --target-db-snapshot-identifier <new name of second snapshot> --kms-key-id <arn of RDS master key>
Restore snapshot to new database instance:
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new db instance name> --db-snapshot-identifier <name of second snapshot>
Point your application to the new database instance.
To enable encryption on your Aurora DB cluster:
List all RDS Aurora DB clusters and check if it is encrypted:
aws rds describe-db-clusters
If an instance shows “false”, create a snapshot of it:
aws rds create-db-snapshot --db-instance-identifier <instance name> --db-snapshot-identifier <name of new snapshot>
Make an encrypted copy of the snapshot:
aws rds copy-db-snapshot --source-db-snapshot-identifier <instance name> --target-db-snapshot-identifier <new name of second snapshot> --kms-key-id <arn of RDS master key>
Restore snapshot to new database instance:
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new db instance name> --db-snapshot-identifier <name of second snapshot>
Point your application to the new database instance.
Terraform¶
Ensure that the aws_db_instance or aws_rds_cluster
storage_encrypted
field is set totrue
. If encrypting with a customer-managed KMS key,kms_key_id
should be set to the ARN of the key.
Example Configuration¶
resource "aws_db_instance" "main" {
storage_encrypted = true
# other required fields here
}
resource "aws_rds_cluster" "main" {
storage_encrypted = true
# other required fields here
}