--- title: CMK unencrypted storage description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CMK unencrypted storage --- # CMK unencrypted storage {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-cmk-unencrypted-storage` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) ### Description{% #description %} Storage encryption must be enabled for database and analytics clusters to protect data at rest and prevent exposure of sensitive data in volumes, snapshots, and backups if storage media or snapshots are compromised. In CloudFormation, the `StorageEncrypted` property must be defined and set to `true` for `AWS::RDS::DBInstance`, `AWS::RDS::DBCluster`, `AWS::RDS::GlobalCluster`, `AWS::DocDB::DBCluster`, and `AWS::Neptune::DBCluster`. For `AWS::Redshift::Cluster`, the `Encrypted` property must be defined and set to `true`. Resources missing these properties or with the properties set to `false` will be flagged. Secure configuration examples: ```yaml MyRdsInstance: Type: AWS::RDS::DBInstance Properties: DBInstanceIdentifier: my-db StorageEncrypted: true ``` ```yaml MyRedshiftCluster: Type: AWS::Redshift::Cluster Properties: ClusterIdentifier: my-redshift Encrypted: true ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: RDS Storage Encrypted Parameters: SourceDBInstanceIdentifier: Type: String DBInstanceType: Type: String SourceRegion: Type: String Resources: MyKey: Type: "AWS::KMS::Key" Properties: KeyPolicy: Version: 2012-10-17 Id: key-default-1 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Join - "" - - "arn:aws:iam::" - !Ref "AWS::AccountId" - ":root" Action: "kms:*" Resource: "*" MyDBSmall: Type: "AWS::RDS::DBInstance" Properties: DBInstanceClass: !Ref DBInstanceType SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier SourceRegion: !Ref SourceRegion KmsKeyId: !Ref MyKey StorageEncrypted: true ``` ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation Sample Template Parameters: DBUsername: NoEcho: 'true' Description: Username for MySQL database access Type: String MinLength: '1' MaxLength: '16' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBPassword: NoEcho: 'true' Description: Password MySQL database access Type: String MinLength: '8' MaxLength: '41' AllowedPattern: '[a-zA-Z0-9]*' ConstraintDescription: must contain only alphanumeric characters. Resources: MyKey-0: Type: "AWS::KMS::Key" Properties: KeyPolicy: Version: 2012-10-17 Id: key-default-1 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Join - "" - - "arn:aws:iam::" - !Ref "AWS::AccountId" - ":root" Action: "kms:*" Resource: "*" RDSCluster: Type: 'AWS::RDS::DBCluster' Properties: MasterUsername: !Ref DBUsername MasterUserPassword: !Ref DBPassword DBClusterIdentifier: my-serverless-cluster Engine: aurora EngineVersion: 5.6.10a EngineMode: serverless ScalingConfiguration: AutoPause: true MinCapacity: 4 MaxCapacity: 32 SecondsUntilAutoPause: 1000 KmsKeyId: !Ref MyKey-0 StorageEncrypted: true ``` ```json { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "RDS Storage Encrypted", "Parameters": { "SourceDBInstanceIdentifier": { "Type": "String" }, "DBInstanceType": { "Type": "String" }, "SourceRegion": { "Type": "String" } }, "Resources": { "MyKey": { "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { "Version": "2012-10-17T00:00:00Z", "Id": "key-default-1", "Statement": [ { "Principal": { "AWS": [ "", [ "arn:aws:iam::", "AWS::AccountId", ":root" ] ] }, "Action": "kms:*", "Resource": "*", "Sid": "Enable IAM User Permissions", "Effect": "Allow" } ] } } }, "MyDBSmall": { "Type": "AWS::RDS::DBInstance", "Properties": { "SourceRegion": "SourceRegion", "KmsKeyId": "MyKey", "StorageEncrypted": true, "DBInstanceClass": "DBInstanceType", "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier" } } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation Sample Parameters: DBInstanceID: Default: mydbinstance Description: My database instance Type: String MinLength: '1' MaxLength: '63' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: >- Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens. DBName: Default: mydb Description: My database Type: String MinLength: '1' MaxLength: '64' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. DBInstanceClass: Default: db.m5.large Description: DB instance class Type: String ConstraintDescription: Must select a valid DB instance type. DBAllocatedStorage: Default: '50' Description: The size of the database (GiB) Type: Number MinValue: '5' MaxValue: '1024' ConstraintDescription: must be between 20 and 65536 GiB. DBUsername: NoEcho: 'true' Description: Username for MySQL database access Type: String MinLength: '1' MaxLength: '16' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBPassword: NoEcho: 'true' Description: Password MySQL database access Type: String MinLength: '8' MaxLength: '41' AllowedPattern: '[a-zA-Z0-9]*' ConstraintDescription: must contain only alphanumeric characters. Resources: MyDB: Type: 'AWS::RDS::DBInstance' Properties: DBInstanceIdentifier: !Ref DBInstanceID DBName: !Ref DBName DBInstanceClass: !Ref DBInstanceClass AllocatedStorage: !Ref DBAllocatedStorage Engine: MySQL EngineVersion: 8.0.16 MasterUsername: !Ref DBUsername MasterUserPassword: !Ref DBPassword MonitoringInterval: '60' MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role' ``` ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation Sample Template Parameters: DBUsername: NoEcho: "true" Description: Username for MySQL database access Type: String MinLength: "1" MaxLength: "16" AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBPassword: NoEcho: "true" Description: Password MySQL database access Type: String MinLength: "8" MaxLength: "41" AllowedPattern: "[a-zA-Z0-9]*" ConstraintDescription: must contain only alphanumeric characters. Resources: RDSCluster1: Type: "AWS::RDS::DBCluster" Properties: MasterUsername: !Ref DBUsername MasterUserPassword: !Ref DBPassword DBClusterIdentifier: my-serverless-cluster Engine: aurora EngineVersion: 5.6.10a EngineMode: serverless ScalingConfiguration: AutoPause: true MinCapacity: 4 MaxCapacity: 32 SecondsUntilAutoPause: 1000 ``` ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation Sample Template AuroraServerlessDBCluster Parameters: DBUsername: NoEcho: 'true' Description: Username for MySQL database access Type: String MinLength: '1' MaxLength: '16' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBPassword: NoEcho: 'true' Description: Password MySQL database access Type: String MinLength: '8' MaxLength: '41' AllowedPattern: '[a-zA-Z0-9]*' ConstraintDescription: must contain only alphanumeric characters. Resources: RDSCluster-2: Type: 'AWS::RDS::DBCluster' Properties: MasterUsername: !Ref DBUsername MasterUserPassword: !Ref DBPassword DBClusterIdentifier: my-serverless-cluster Engine: aurora EngineVersion: 5.6.10a EngineMode: serverless ScalingConfiguration: AutoPause: true MinCapacity: 4 MaxCapacity: 32 SecondsUntilAutoPause: 1000 StorageEncrypted: false ```