RDS instances should be encrypted (AWS-managed or customer-managed KMS CMKs)

Description

Encrypting your RDS DB instances provides an extra layer of security by securing your data from unauthorized access.

Console Remediation Steps

• You cannot modify an existing database to enable encryption. You need to migrate to a new RDS instance. Navigate to RDS.

• In the left navigation, select Snapshots.

• Create a database snapshot.

• Make a copy of the snapshot and make sure to enable encryption.

CLI Remediation Steps

• List all RDS instances:

  • aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'

• Check if each RDS instance is encrypted:

  • aws rds describe-db-instances --db-instance-identifier <instance name> --query 'DBInstances[*].StorageEncrypted'

• If an instance shows “false”, create a snapshot of it:

  • aws rds create-db-snapshot --db-instance-identifier <instance name> --db-snapshot-identifier <name of new snapshot>

• Make an encrypted copy of the snapshot:

  • aws rds copy-db-snapshot --source-db-snapshot-identifier <instance name> --target-db-snapshot-identifier <new name of second snapshot> --kms-key-id <arn of RDS master key>

• Restore snapshot to new database instance:

  • aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new db instance name> --db-snapshot-identifier <name of second snapshot>

• Point your application to the new database instance.

Documentation Links

• Encrypting Amazon RDS Resources

• Copying a DB Snapshot

• Backing Up and Restoring Amazon RDS DB Instances

• describe-db-instances Command Line Reference

• create-db-snapshot Command Line Reference

• copy-db-snapshot Command Line Reference

• restore-db-snapshot Command Line Reference