RDS instances should be encrypted (AWS-managed keys or KMS CMKs)


Encrypted RDS DB instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. Data that is encrypted at rest includes the underlying storage for a DB instance, its automated backups, Read Replicas, and snapshots.

Console Remediation Steps

  • You cannot modify an existing database to enable encryption. You need to migrate to a new RDS instance. Navigate to RDS.

  • In the left navigation, select Snapshots.

  • Create a database snapshot.

  • Make a copy of the snapshot and make sure to enable encryption.

CLI Remediation Steps

  • List all RDS instances:

    • aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'

  • Check if each RDS instance is encrypted:

    • aws rds describe-db-instances --db-instance-identifier <instance name> --query 'DBInstances[*].StorageEncrypted'

  • If an instance shows “false”, create a snapshot of it:

    • aws rds create-db-snapshot --db-instance-identifier <instance name> --db-snapshot-identifier <name of new snapshot>

  • Make an encrypted copy of the snapshot:

    • aws rds copy-db-snapshot --source-db-snapshot-identifier <instance name> --target-db-snapshot-identifier <new name of second snapshot> --kms-key-id <arn of RDS master key>

  • Restore snapshot to new database instance:

    • aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new db instance name> --db-snapshot-identifier <name of second snapshot>

  • Point your application to the new database instance.