RDS database instance should be encrypted

rds
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

Amazon RDS-encrypted database instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server hosting your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles the authentication of access and decryption of your data transparently with a minimal impact on performance.

Rationale

With RDS encryption enabled, the data stored on the instance’s underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.

Remediation

From the console

Follow the Enabling Amazon RDS encryption for a DB instance documentation to ensure your database instances are encrypted.

From the command line

  1. Run describe-db-instances with an instance identifier query to list RDS database names.

     aws rds describe-db-instances \
     --query 'DBInstances[*].DBInstanceIdentifier'

  2. Run create-db-snapshot with any returned database instance you wish to modify.

     aws rds create-db-snapshot \
     --db-snapshot-identifier <insert-db-snapshot-id> \
     --db-instance-identifier <insert-db-id>

  3. Run list-aliases to list KMS keys aliases by region.

     aws kms list-aliases \
     --region <insert-region>

  4. Run copy-db-snapshot with the kms-key-id returned in step 3.

     aws rds copy-db-snapshot \
     --region <insert-region> \
     --source-db-snapshot-identifier <insert-original-db-snapshot-id> \
     --target-db-snapshot-identifier <insert-encrypted-db-snapshot-id> \
     --copy-tags \
     --kms-key-id <insert-kms-key-id>

  5. Run restore-db-instance-from-db-snapshot to restore the previously created snapshot.

     aws rds restore-db-instance-from-db-snapshot \
     --region <insert-region> \
     --db-instance-identifier <insert-encrypted-db-id> \
     --db-snapshot-identifier <insert-encrypted-db-snapshot-id>

  6. Run describe-db-instances with a query to ensure database encryption.

     aws rds describe-db-instances \
     --region <insert-region> \
     --db-instance-identifier <insert-encrypted-db-snapshot-id> \
     --query 'DBInstances[*].StorageEncrypted'