RDS instances should be encrypted with KMS CMKs

Description

Encrypted RDS DB instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. Data that is encrypted at rest includes the underlying storage for a DB instance, its automated backups, Read Replicas, and snapshots.

Console Remediation Steps

To enable encryption, you will need to create a new database instance with KMS CMKs encryption enabled. Next, you will need to migrate your existing data over to your new RDS instance with encrypted KMS CMKs. For more information, refer to:

CLI Remediation Steps

To enable encryption, you will need to create a new database instance with KMS CMKs encryption enabled. Next, you will need to migrate your existing data over to your new RDS instance with encrypted KMS CMKs. For more information, refer to:

  • Create-db-instance and set the --kms-key-id parameter to the Amazon Resource Name (ARN) for the AWS KMS encryption key for the DB instance