Rule for Ensuring Encryption Enabled for RDS Instances
Brief overview of the rule for enabling encryption on RDS instances
| Rule | Ensure that encryption is enabled for RDS Instances |
| Framework | cis_v150 |
| Severity | ✔ Medium |
Rule Description
The rule "Ensure that encryption is enabled for RDS Instances" aims to enforce the encryption of data at rest for Amazon RDS (Relational Database Service) instances. Enabling encryption helps protect sensitive data stored in databases from potential unauthorized access.
Troubleshooting Steps
If encryption is not enabled for RDS instances, follow these troubleshooting steps:
- 1.Verify the current status of encryption for your RDS instance.
- 2.Check if the RDS instance is using a supported database engine that allows encryption at rest.
- 3.Ensure that the correct encryption key is associated with the RDS instance.
- 4.Verify if you have the necessary permissions to enable encryption for the RDS instance.
- 5.Check if you have followed the correct configuration steps and settings for enabling encryption.
Necessary Codes
If encryption is not already enabled for the RDS instance, you may need to run AWS CLI commands to enable it. Here are the necessary codes:
Enable Encryption for an Existing RDS Instance
aws rds modify-db-instance --db-instance-identifier <db-instance-identifier> --storage-encrypted --apply-immediately
Replace
<db-instance-identifier>--apply-immediatelyEnable Encryption for a New RDS Instance
When creating a new RDS instance using AWS CLI, specify the
--storage-encryptedaws rds create-db-instance --db-instance-identifier <db-instance-identifier> --storage-encrypted --other-parameters
Remediation Steps
If encryption is not enabled for the RDS instance, follow these step-by-step remediation instructions:
- 1.Identify the RDS instance that needs encryption enabled.
- 2.Ensure that you have the necessary permissions (e.g.,
) to modify the RDS instance.rds:ModifyDBInstance - 3.Enable encryption for the RDS instance using one of the following methods:
- If the RDS instance already exists, run the following command to enable encryption:
aws rds modify-db-instance --db-instance-identifier <db-instance-identifier> --storage-encrypted --apply-immediately - If creating a new RDS instance, include the
flag and any other required parameters in the command, for example:--storage-encrypted
Replaceaws rds create-db-instance --db-instance-identifier <db-instance-identifier> --storage-encrypted --other-parameters
with the desired identifier for the new RDS instance.<db-instance-identifier>
- 4.Monitor the progress of the modification or creation process.
- 5.Verify that encryption is successfully enabled for the RDS instance, either by checking the AWS Management Console or running the following command:
Replaceaws rds describe-db-instances --db-instance-identifier <db-instance-identifier> --query 'DBInstances[0].StorageEncrypted'
with the identifier of the RDS instance.<db-instance-identifier> - 6.Repeat the above steps for any other RDS instances that require encryption.
Conclusion
Enabling encryption for RDS instances ensures the security of data at rest within the databases. By following the troubleshooting steps and remediation instructions provided, you can ensure that encryption is enabled for RDS instances in accordance with the CIS AWS Foundation Benchmark v1.5.0.