RDS instances and Aurora DB clusters should be encrypted

Description

Encrypting your RDS DB instances and Aurora DB clusters provides an extra layer of security by securing your data from unauthorized access. You have the option of using an AWS managed or customer managed KMS key for this purpose.

Note

This rule evaluates RDS DB instances and Aurora DB clusters.

Remediation Steps

AWS Console

• You cannot modify an existing database or Aurora database cluster to enable encryption. You need to migrate to a new RDS instance. Navigate to RDS.

• In the left navigation, select Snapshots.

• Create a database snapshot.

• Make a copy of the snapshot and make sure to enable encryption.

AWS CLI

To enable encryption on your RDS DB instance:

• List all RDS DB instances:

  • aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'

• Check if each RDS instance is encrypted:

  • aws rds describe-db-instances --db-instance-identifier <instance name> --query 'DBInstances[*].StorageEncrypted'

• If an instance shows “false”, create a snapshot of it:

  • aws rds create-db-snapshot --db-instance-identifier <instance name> --db-snapshot-identifier <name of new snapshot>

• Make an encrypted copy of the snapshot:

  • aws rds copy-db-snapshot --source-db-snapshot-identifier <instance name> --target-db-snapshot-identifier <new name of second snapshot> --kms-key-id <arn of RDS master key>

• Restore snapshot to new database instance:

  • aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new db instance name> --db-snapshot-identifier <name of second snapshot>

• Point your application to the new database instance.

To enable encryption on your Aurora DB cluster:

• List all RDS Aurora DB clusters and check if it is encrypted:

  • aws rds describe-db-clusters

• If an instance shows “false”, create a snapshot of it:

  • aws rds create-db-snapshot --db-instance-identifier <instance name> --db-snapshot-identifier <name of new snapshot>

• Make an encrypted copy of the snapshot:

  • aws rds copy-db-snapshot --source-db-snapshot-identifier <instance name> --target-db-snapshot-identifier <new name of second snapshot> --kms-key-id <arn of RDS master key>

• Restore snapshot to new database instance:

  • aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new db instance name> --db-snapshot-identifier <name of second snapshot>

• Point your application to the new database instance.

Terraform

• Ensure that the aws_db_instance or aws_rds_cluster storage_encrypted field is set to true. If encrypting with a customer-managed KMS key, kms_key_id should be set to the ARN of the key.

Example Configuration

resource "aws_db_instance" "main" {
  storage_encrypted    = true
  # other required fields here
}

resource "aws_rds_cluster" "main" {
  storage_encrypted       = true
  # other required fields here
}

Documentation Links

Runtime

• Encrypting Amazon RDS Resources

• Backing Up and Restoring Amazon RDS DB Instances

• CLI: describe-db-instances

• CLI: create-db-snapshot

• CLI: copy-db-snapshot

• CLI: restore-db-snapshot

• Encrypting an Amazon Aurora DB cluster

• describe-db-clusters

Terraform

• Resource: aws_db_instance

  • Field: storage_encrypted

• Resource: aws_rds_cluster

  • Field: storage_encrypted