--- title: DB instance storage not encrypted description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > DB instance storage not encrypted --- # DB instance storage not encrypted {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `ansible-aws-db-instance-storage-not-encrypted` **Provider:** AWS **Platform:** Ansible **Severity:** High **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/rds_instance_module.html) ### Description{% #description %} RDS instances must have storage encryption enabled to protect data at rest, including database files, automated backups, and snapshots. Without encryption, this data is exposed to unauthorized access if storage media or snapshots are compromised. For Ansible resources using the `amazon.aws.rds_instance` or `rds_instance` modules, set `storage_encrypted` to `true`. If you are using a customer-managed key, also define `kms_key_id`. This rule flags instances where `storage_encrypted` is undefined or set to `false` and no `kms_key_id` is provided. ```yaml - name: Create encrypted RDS instance amazon.aws.rds_instance: db_instance_identifier: mydb engine: mysql allocated_storage: 20 master_username: admin master_user_password: secret storage_encrypted: true kms_key_id: arn:aws:kms:us-east-1:123456789012:key/abcd-ef01-2345-6789-abcd ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml - name: foo amazon.aws.rds_instance: db_instance_identifier: my-db-1 id: test-encrypted-db state: present engine: mariadb storage_encrypted: true db_instance_class: db.t2.medium username: '{{ username }}' password: '{{ password }}' allocated_storage: '{{ allocated_storage }}' - name: foo2 amazon.aws.rds_instance: db_instance_identifier: my-db-2 id: test-encrypted-db state: present engine: mariadb storage_encrypted: yes db_instance_class: db.t2.medium username: '{{ username }}' password: '{{ password }}' allocated_storage: '{{ allocated_storage }}' - name: foo3 amazon.aws.rds_instance: db_instance_identifier: my-db-3 id: test-encrypted-db state: present engine: mariadb kms_key_id: sup3rstr0ngK3y db_instance_class: db.t2.medium username: '{{ username }}' password: '{{ password }}' allocated_storage: '{{ allocated_storage }}' ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml --- - name: foo amazon.aws.rds_instance: db_instance_identifier: my-db-1 id: test-encrypted-db state: present engine: mariadb storage_encrypted: False db_instance_class: db.t2.medium username: "{{ username }}" password: "{{ password }}" allocated_storage: "{{ allocated_storage }}" - name: foo2 amazon.aws.rds_instance: db_instance_identifier: my-db-2 id: test-encrypted-db state: present engine: mariadb storage_encrypted: no db_instance_class: db.t2.medium username: "{{ username }}" password: "{{ password }}" allocated_storage: "{{ allocated_storage }}" - name: foo3 amazon.aws.rds_instance: db_instance_identifier: my-db-3 id: test-encrypted-db state: present engine: mariadb db_instance_class: db.t2.medium username: "{{ username }}" password: "{{ password }}" allocated_storage: "{{ allocated_storage }}" ```