RDS database instances are not encrypted
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

RDS database instances are not encrypted

rds

Classification:

compliance

Set up the rds integration.

Overview

Description

Ensure that your AWS RDS database instances are encrypted.

Rationale

Encrypting your AWS RDS clusters protects sensitive data from unauthorized access.

Remediation

Console

Follow the Enabling Amazon RDS encryption for a DB instance docs to ensure your database instances are encrypted.

CLI

  1. Run describe-db-instances with an instance identifier query to list RDS database names.

    describe-db-instances.sh

        aws rds describe-db-instances
            --query 'DBInstances[*].DBInstanceIdentifier'
        
  2. Run create-db-snapshot with any returned database instance you wish to modify.

    create-db-snapshot.sh

        aws rds create-db-snapshot
            --db-snapshot-identifier my-db-snapshot
            --db-instance-identifier my-db-id
        
  3. Run list-aliases to list KMS keys aliases by region.

    list-aliases.sh

        aws kms list-aliases
            --region us-west-1
        
  4. Run copy-db-snapshot with the kms-key-id returned in step 3.

    copy-db-snapshot.sh

        aws rds copy-db-snapshot
            --region us-west-1
            --source-db-snapshot-identifier original-db-snapshot-id
            --target-db-snapshot-identifier encrypted-db-snapshot-id
            --copy-tags
            --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456
        
  5. Run restore-db-instance-from-db-snapshot to restore the previously created snapshot.

    restore-db-instance.sh

        aws rds restore-db-instance-from-db-snapshot
            --region us-west-1
            --db-instance-identifier encrypted-db-id
            --db-snapshot-identifier encrypted-db-snapshot-id
        
  6. Run describe-db-instances with a query to ensure database encryption.

    describe-db-instances.sh

        aws rds describe-db-instances
            --region us-west-1
            --db-instance-identifier encrypted-db-snapshot-id
            --query 'DBInstances[*].StorageEncrypted'