RDS cluster and instance snapshots should be encrypted at rest

Description

This control ensures snapshots are encrypted. It checks RDS, Neptune, DocDB, and Aurora snapshots. Snapshot encryption is crucial for maintaining data confidentiality and complying with security best practices.

Remediation

To encrypt an RDS snapshot, refer to the Encrypting Amazon RDS resources section in the Amazon RDS User Guide. Encryption covers the instance’s underlying storage, automated backups, read replicas, and snapshots.

Although you can only enable encryption during the creation of an RDS DB instance, you can encrypt an existing instance by following these steps:

  1. Create a Snapshot: Generate a snapshot of your current unencrypted DB instance.
  2. Create an Encrypted Copy: Make an encrypted copy of the snapshot.
  3. Restore from Encrypted Snapshot: Restore a DB instance from the encrypted snapshot.

By doing this, you effectively create an encrypted version of your original, unencrypted DB instance, ensuring data security and compliance.