Rule for Ensuring Encryption of RDS Cluster Snapshots
This rule ensures encryption of RDS cluster snapshots and database snapshots at rest.
| Rule | RDS cluster snapshots and database snapshots should be encrypted at rest |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
This rule enforces the encryption at rest for RDS cluster snapshots and database snapshots in order to comply with the AWS Foundational Security Best Practices. Encrypting these snapshots helps to protect sensitive data stored in these resources.
Rule Remediation:
To remediate this rule, follow the step-by-step guide below:
1. Encrypt RDS Cluster Snapshots:
Option 1: Enable Encryption during Snapshot Creation (Console):
- 1.Open the Amazon RDS console.
- 2.Go to the "Snapshots" page.
- 3.Click on the "Create Snapshot" button.
- 4.In the "Create Snapshot" page, select your RDS cluster.
- 5.Check the "Enable encryption" checkbox.
- 6.Provide the necessary encryption options.
- 7.Click on the "Create Snapshot" button to create the encrypted snapshot.
Option 2: Enable Encryption for Existing Snapshots (Console):
- 1.Open the Amazon RDS console.
- 2.Go to the "Snapshots" page.
- 3.Select the snapshot you want to encrypt.
- 4.Click on the "Actions" dropdown menu.
- 5.Choose "Copy Snapshot" from the list.
- 6.In the "Copy Snapshot" page, select the encryption options.
- 7.Click on the "Copy Snapshot" button to create the encrypted copy.
Option 3: Enable Encryption during Snapshot Creation (AWS CLI):
aws rds create-db-cluster-snapshot \ --db-cluster-snapshot-identifier <snapshot_identifier> \ --db-cluster-identifier <db_cluster_identifier> \ --enable-iam-database-authentication \ --kms-key-id <kms_key_id>
Replace
<snapshot_identifier><db_cluster_identifier><kms_key_id>2. Encrypt RDS Database Snapshots:
Option 1: Enable Encryption during Snapshot Creation (Console):
- 1.Open the Amazon RDS console.
- 2.Go to the "Snapshots" page.
- 3.Click on the "Create Snapshot" button.
- 4.In the "Create Snapshot" page, select your RDS database instance.
- 5.Check the "Enable encryption" checkbox.
- 6.Provide the necessary encryption options.
- 7.Click on the "Create Snapshot" button to create the encrypted snapshot.
Option 2: Enable Encryption for Existing Snapshots (Console):
- 1.Open the Amazon RDS console.
- 2.Go to the "Snapshots" page.
- 3.Select the snapshot you want to encrypt.
- 4.Click on the "Actions" dropdown menu.
- 5.Choose "Copy Snapshot" from the list.
- 6.In the "Copy Snapshot" page, select the encryption options.
- 7.Click on the "Copy Snapshot" button to create the encrypted copy.
Option 3: Enable Encryption during Snapshot Creation (AWS CLI):
aws rds create-db-snapshot \ --db-snapshot-identifier <snapshot_identifier> \ --db-instance-identifier <db_instance_identifier> \ --enable-iam-database-authentication \ --kms-key-id <kms_key_id>
Replace
<snapshot_identifier><db_instance_identifier><kms_key_id>Troubleshooting Steps (if applicable):
If you encounter any issues while enabling encryption for RDS cluster snapshots or database snapshots, consider the following troubleshooting steps:
- 1.Ensure that you have the necessary permissions to perform snapshot operations and encryption using AWS Identity and Access Management (IAM).
- 2.Make sure that the KMS key used for encryption is accessible and has the appropriate permissions.
- 3.Verify that the RDS cluster or database instance is in a valid state and meets the requirements for snapshot creation and encryption.
- 4.Check the AWS Regional availability of the KMS key. Some regions may have different KMS key availability.
- 5.Review the AWS documentation and AWS Support resources for specific error messages or issues you encounter.
If the troubleshooting steps do not resolve the issue, consider reaching out to AWS Support for further assistance.
Please note that the above instructions are specific to AWS RDS cluster and database snapshots. Different resources and services may have different encryption procedures.