RDS instances should be encrypted (AWS-managed or customer-managed KMS CMKs)¶
Description¶
Encrypting your RDS DB instances provides an extra layer of security by securing your data from unauthorized access.
Console Remediation Steps¶
You cannot modify an existing database to enable encryption. You need to migrate to a new RDS instance. Navigate to RDS.
In the left navigation, select Snapshots.
Create a database snapshot.
Make a copy of the snapshot and make sure to enable encryption.
CLI Remediation Steps¶
List all RDS instances:
aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'
Check if each RDS instance is encrypted:
aws rds describe-db-instances --db-instance-identifier <instance name> --query 'DBInstances[*].StorageEncrypted'
If an instance shows “false”, create a snapshot of it:
aws rds create-db-snapshot --db-instance-identifier <instance name> --db-snapshot-identifier <name of new snapshot>
Make an encrypted copy of the snapshot:
aws rds copy-db-snapshot --source-db-snapshot-identifier <instance name> --target-db-snapshot-identifier <new name of second snapshot> --kms-key-id <arn of RDS master key>
Restore snapshot to new database instance:
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new db instance name> --db-snapshot-identifier <name of second snapshot>
Point your application to the new database instance.