RDS instances should be encrypted (AWS-managed or customer-managed KMS CMKs)


Encrypting your RDS DB instances provides an extra layer of security by securing your data from unauthorized access.

Console Remediation Steps

  • You cannot modify an existing database to enable encryption. You need to migrate to a new RDS instance. Navigate to RDS.

  • In the left navigation, select Snapshots.

  • Create a database snapshot.

  • Make a copy of the snapshot and make sure to enable encryption.

CLI Remediation Steps

  • List all RDS instances:

    • aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'

  • Check if each RDS instance is encrypted:

    • aws rds describe-db-instances --db-instance-identifier <instance name> --query 'DBInstances[*].StorageEncrypted'

  • If an instance shows “false”, create a snapshot of it:

    • aws rds create-db-snapshot --db-instance-identifier <instance name> --db-snapshot-identifier <name of new snapshot>

  • Make an encrypted copy of the snapshot:

    • aws rds copy-db-snapshot --source-db-snapshot-identifier <instance name> --target-db-snapshot-identifier <new name of second snapshot> --kms-key-id <arn of RDS master key>

  • Restore snapshot to new database instance:

    • aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new db instance name> --db-snapshot-identifier <name of second snapshot>

  • Point your application to the new database instance.