Rule: RDS DB Instance Encryption at Rest Enabled

Ensure RDS DB instance encryption at rest is enabled to protect sensitive data. Non-compliance may lead to security vulnerabilities.

Rule	RDS DB instance encryption at rest should be enabled
Framework	CISA-cyber-essentials
Severity	✔ Low

RDS DB Instance Encryption at Rest for CISA-Cyber Essentials

Description

RDS (Relational Database Service) is a managed database service offered by AWS (Amazon Web Services). One of the security best practices recommended by CISA (Cybersecurity and Infrastructure Security Agency) Cyber Essentials is to enable encryption at rest for RDS DB instances. Encryption at rest provides an additional layer of protection by encrypting the data stored on disk, ensuring data confidentiality in case of unauthorized access or a data breach.

Enabling encryption at rest ensures that all data within the RDS DB instance, including backups and snapshots, is automatically encrypted using industry-standard encryption algorithms. This helps organizations comply with data protection regulations and strengthens the overall security posture of their database infrastructure.

Troubleshooting Steps

If you encounter any issues while enabling encryption at rest for RDS DB instances, refer to the following troubleshooting steps:

1.

Check RDS DB instance compatibility: Ensure that the RDS DB instance version and engine you are using support encryption at rest. Older versions or certain database engines may not have this feature available.

2.
Verify IAM permissions: Ensure that the IAM (Identity and Access Management) user or role used to modify the RDS DB instance has the necessary permissions to enable encryption at rest. Grant the
```
rds:ModifyDBInstance
```
permission to the user or role if needed.

3.
Check KMS key permissions: If you are using a custom KMS (Key Management Service) key for encryption at rest, verify that the IAM user or role has the necessary permissions to access the specified KMS key. Grant the
```
kms:Encrypt
```
and
```
kms:Decrypt
```
permissions on the KMS key to the user or role if required.

4.

Review AWS regions and availability zones: Encryption at rest may vary across different AWS regions and availability zones. Ensure that both the RDS DB instance and the KMS key are located in the same region and availability zone.

5.

Verify security group settings: Make sure that the necessary inbound/outbound rules are configured in the associated security group(s) to allow connectivity to the RDS DB instance after enabling encryption at rest.

6.

Review parameter group settings: If you encounter performance issues after enabling encryption at rest, consider adjusting the RDS DB instance's parameter group settings to optimize database performance.

Necessary Codes

There are no specific codes required for enabling encryption at rest for RDS DB instances. This is a configuration setting that can be easily managed using the AWS Management Console or AWS CLI (Command Line Interface).

Step-by-Step Guide for Remediation

Follow the steps below to enable encryption at rest for an RDS DB instance:

1.
Step 1: Access the AWS Management Console
- Open a web browser and navigate to the AWS Management Console (https://console.aws.amazon.com).

2.
Step 2: Navigate to the RDS service
- In the AWS Management Console, search for "RDS" or select "RDS" from the list of available services.

3.
Step 3: Select the desired RDS DB instance
- From the RDS dashboard, select the appropriate DB instance that you want to enable encryption on.

4.
Step 4: Modify the DB instance
- Click on the "Actions" dropdown menu and select "Modify" from the list of available options.

5.
Step 5: Enable encryption at rest
- Scroll down to the "Encryption" section and select the checkbox option for "Enable Encryption".
- If you want to use the AWS Key Management Service (KMS) default key, leave the "Master Key" dropdown as "Default".
- If you want to use a custom KMS key, select the desired key from the "Master Key" dropdown.

6.
Step 6: Save the changes
- Scroll to the bottom of the page and click on the "Modify DB instance" button to save the changes.

7.
Step 7: Monitor the modification process
- After saving the changes, the modification process will start. Monitor the RDS dashboard to ensure that the modification completes successfully.

Once the modification is complete, encryption at rest will be enabled for the RDS DB instance. All existing and future data stored within the DB instance will be encrypted, providing an additional layer of security.

Note: Enabling encryption at rest for an existing RDS DB instance may cause a brief interruption in database connectivity during the modification process. It is recommended to plan the modification during a maintenance window or during periods of low database activity.

Remember to verify and test the connectivity to the RDS DB instance after enabling encryption at rest to ensure there are no configuration or compatibility issues.

Rule: RDS DB Instance Encryption at Rest Enabled

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Description

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation

Is your System Free of Underlying Vulnerabilities? Find Out Now

Description

Troubleshooting Steps

Necessary Codes

Step-by-Step Guide for Remediation

Is your System Free of Underlying Vulnerabilities?
Find Out Now