--- title: RDS storage not encrypted description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RDS storage not encrypted --- # RDS storage not encrypted {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-rds-storage-not-encrypted` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) ### Description{% #description %} RDS database instances must have storage encryption enabled to protect data at rest and to ensure snapshots and automated backups are encrypted. Without it, sensitive database contents can be exposed if storage media or backups are compromised. In AWS CloudFormation, the `AWS::RDS::DBInstance` resource must define the `StorageEncrypted` property and set it to `true`. Resources missing `StorageEncrypted` or with `StorageEncrypted` set to `false` will be flagged. Optionally set `KmsKeyId` to use a customer-managed KMS key when you require specific key control. Secure configuration example: ```yaml MyDBInstance: Type: AWS::RDS::DBInstance Properties: DBInstanceIdentifier: my-encrypted-db Engine: postgres EngineVersion: '14.7' DBInstanceClass: db.t3.micro AllocatedStorage: 20 MasterUsername: admin MasterUserPassword: !Ref DBPassword StorageEncrypted: true KmsKeyId: !Ref MyKMSKey ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: RDS Storage Encrypted Parameters: SourceDBInstanceIdentifier: Type: String DBInstanceType: Type: String SourceRegion: Type: String Resources: MyKey: Type: "AWS::KMS::Key" Properties: KeyPolicy: Version: 2012-10-17 Id: key-default-1 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Join - "" - - "arn:aws:iam::" - !Ref "AWS::AccountId" - ":root" Action: "kms:*" Resource: "*" MyDBSmall: Type: "AWS::RDS::DBInstance" Properties: DBInstanceClass: !Ref DBInstanceType SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier SourceRegion: !Ref SourceRegion KmsKeyId: !Ref MyKey StorageEncrypted: true ``` ```json { "Description": "RDS Storage Encrypted", "Parameters": { "SourceRegion": { "Type": "String" }, "SourceDBInstanceIdentifier": { "Type": "String" }, "DBInstanceType": { "Type": "String" } }, "Resources": { "MyDBSmall": { "Type": "AWS::RDS::DBInstance", "Properties": { "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier", "SourceRegion": "SourceRegion", "KmsKeyId": "MyKey", "StorageEncrypted": true, "DBInstanceClass": "DBInstanceType" } }, "MyKey": { "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { "Version": "2012-10-17T00:00:00Z", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "", [ "arn:aws:iam::", "AWS::AccountId", ":root" ] ] }, "Action": "kms:*", "Resource": "*" } ] } } } }, "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: RDS Storage Encrypted Parameters: SourceDBInstanceIdentifier: Type: String DBInstanceType: Type: String SourceRegion: Type: String Resources: MyKey: Type: "AWS::KMS::Key" Properties: KeyPolicy: Version: 2012-10-17 Id: key-default-1 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Join - "" - - "arn:aws:iam::" - !Ref "AWS::AccountId" - ":root" Action: "kms:*" Resource: "*" MyDBSmall: Type: "AWS::RDS::DBInstance" Properties: DBInstanceClass: !Ref DBInstanceType SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier SourceRegion: !Ref SourceRegion KmsKeyId: !Ref MyKey StorageEncrypted: false ``` ```yaml AWSTemplateFormatVersion: 2010-09-11 Description: RDS Storage Encrypted2 Parameters: SourceDBInstanceIdentifier: Type: String DBInstanceType: Type: String SourceRegion: Type: String Resources: MyKey2: Type: "AWS::KMS::Key" Properties: KeyPolicy: Version: 2012-10-17 Id: key-default-1 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Join - "" - - "arn:aws:iam::" - !Ref "AWS::AccountId" - ":root" Action: "kms:*" Resource: "*" MyDBSmall2: Type: "AWS::RDS::DBInstance" Properties: DBInstanceClass: !Ref DBInstanceType SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier SourceRegion: !Ref SourceRegion KmsKeyId: !Ref MyKey ``` ```json { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "RDS Storage Encrypted", "Parameters": { "SourceDBInstanceIdentifier": { "Type": "String" }, "DBInstanceType": { "Type": "String" }, "SourceRegion": { "Type": "String" } }, "Resources": { "MyKey": { "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { "Version": "2012-10-17T00:00:00Z", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "", [ "arn:aws:iam::", "AWS::AccountId", ":root" ] ] }, "Action": "kms:*", "Resource": "*" } ] } } }, "MyDBSmall": { "Type": "AWS::RDS::DBInstance", "Properties": { "DBInstanceClass": "DBInstanceType", "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier", "SourceRegion": "SourceRegion", "KmsKeyId": "MyKey", "StorageEncrypted": false } } } } ```