Rule: RDS DB Instances Should Have Encryption at Rest Enabled
Ensure that all RDS DB instances have encryption at rest enabled to secure data stored in the database.
| Rule | RDS DB instances should have encryption at rest enabled |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
RDS (Relational Database Service) DB instances should have encryption at rest enabled as part of the AWS Foundational Security Best Practices. Encryption at rest ensures that the data stored in the database remains secure even if someone gains unauthorized access to the physical storage.
When encryption at rest is enabled, the data files, backups, and snapshots associated with the RDS DB instances are encrypted using AWS Key Management Service (KMS) keys.
Troubleshooting Steps (if applicable):
If encryption at rest is not enabled for the RDS DB instance, follow these troubleshooting steps:
- 1.
Ensure that you have the necessary permissions to enable encryption at rest. You should have permissions to modify the DB instance configuration and access the KMS service.
- 2.
Check if the RDS DB instance is using the default encryption. The default encryption is enabled for new RDS DB instances in AWS accounts created after a certain date. If you have an older account, you may need to enable encryption manually.
- 3.
Verify if the KMS key used for encryption is accessible and has the necessary permissions. Ensure that the KMS key policy allows the RDS service to use the key for encryption and decryption.
- 4.
If you have already enabled encryption at rest but are still facing issues, check for any error messages or warnings in the RDS instance event logs. These logs can provide insights into any issues encountered during the encryption process.
Necessary Codes (if applicable):
To enable encryption at rest for an RDS DB instance, you need to modify the DB instance settings using the AWS Command Line Interface (CLI).
The following command can be used to enable encryption at rest:
aws rds modify-db-instance \ --db-instance-identifier <DB-instance-identifier> \ --storage-encrypted \ --apply-immediately
Replace
<DB-instance-identifier>Step-by-Step Guide for Remediation:
Follow these steps to enable encryption at rest for an RDS DB instance:
- 1.
Set up the AWS CLI: Install and configure the AWS CLI on your local machine. Make sure you have the necessary permissions to modify the DB instance settings.
- 2.
Identify the DB instance: Determine the DB instance identifier of the RDS DB instance for which you want to enable encryption at rest.
- 3.
Modify the DB instance: Open a terminal or command prompt and execute the following command:
aws rds modify-db-instance \ --db-instance-identifier <DB-instance-identifier> \ --storage-encrypted \ --apply-immediately
Replace
<DB-instance-identifier>- 1.Verify the modification: Run the following command to check the modification status:
aws rds describe-db-instances \ --db-instance-identifier <DB-instance-identifier> \ --query "DBInstances[0].StorageEncrypted"
Replace
<DB-instance-identifier>true- 1.Repeat the process: If you have multiple RDS DB instances, repeat steps 2-4 for each DB instance.
By following these steps, you can enable encryption at rest for your RDS DB instances and ensure compliance with AWS Foundational Security Best Practices.