RDS instances should be encrypted with customer managed KMS keys

Description

Encrypting RDS DB instances and clusters with customer managed KMS keys provides an extra layer of security (vs. AWS managed KMS keys) as it helps to prevent key expiration and provides robust key creation.

Console Remediation Steps

To enable encryption, you will need to create a new database instance with KMS CMKs encryption enabled. Next, you will need to migrate your existing data over to your new RDS instance with encrypted KMS CMKs. For more information, refer to:

CLI Remediation Steps

To enable encryption, you will need to create a new database instance with KMS CMKs encryption enabled. Next, you will need to migrate your existing data over to your new RDS instance with encrypted KMS CMKs. For more information, refer to:

  • create-db-instance and set the --kms-key-id parameter to the Amazon Resource Name (ARN) for the AWS KMS encryption key for the DB instance