Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS DB Snapshots Should Be Encrypted at Rest

This rule ensures that RDS DB snapshots are encrypted at rest to maintain data security.

RuleRDS DB snapshots should be encrypted at rest
FrameworkCISA-cyber-essentials
Severity
Medium

Rule Description

RDS (Relational Database Service) DB snapshots should be encrypted at rest as a security measure to protect sensitive data stored within the snapshots. This rule helps to ensure compliance with CISA Cyber Essentials standards, which prioritize data protection and security.

Troubleshooting Steps

In case DB snapshots are not encrypted at rest, you may follow these troubleshooting steps:

  2. 1.
    Check RDS Encryption: Verify if encryption is enabled for the RDS instance.
  4. 2.
    Verify Snapshot Encryption: Confirm if the DB snapshots are encrypted.
  6. 3.
    Review IAM Policies: Ensure the necessary IAM policies are in place for snapshot encryption.
  8. 4.
    Check KMS Configuration: Validate the Key Management Service (KMS) configuration for RDS encryption.

Necessary Codes

No specific codes are required for this rule; however, encryption can be configured using the AWS Management Console or AWS Command Line Interface (CLI).

Step-by-Step Guide for Remediation

Follow these steps to ensure DB snapshots are encrypted at rest for AWS RDS:

  2. 1.

    Log in to the AWS Management Console or open the AWS CLI.

  4. 2.

    Identify the RDS DB instance for which you want to enable snapshot encryption.

  6. 3.

    Verify RDS Encryption:

    • In the AWS Management Console, navigate to the RDS service.
    • Select the appropriate region.
    • Click on "Databases" in the left sidebar.
    • Choose the desired RDS instance from the list.
    • In the "Connectivity & security" section, verify that "Encryption" is enabled.
  8. 4.

    Create a New Encrypted Snapshot:

    • Select the RDS instance that you want to create an encrypted snapshot for.
    • Click on "Actions" and choose "Take snapshot."
    • In the snapshot creation wizard, provide a name and description for the snapshot.
    • Tick the checkbox for "Enable encryption" to encrypt the new snapshot.
    • Configure any other desired snapshot settings and click on "Create snapshot."
  10. 5.

    Verify Snapshot Encryption:

    • After the snapshot is created, navigate to the AWS RDS service page.
    • Choose the appropriate region.
    • Click on "Snapshots" in the left sidebar.
    • Find the newly created snapshot and verify that the "Encrypted" column shows "Yes."
  12. 6.

    Review IAM Policies:

    • Ensure that the user or role performing the snapshot creation has the necessary IAM policies assigned to them.
    • IAM policies should include the 
      rds:CopyDBSnapshot
      and 
      rds:CreateDBSnapshot
      actions.
  14. 7.

    Check KMS Configuration:

    • Confirm that the Key Management Service (KMS) is properly configured for RDS encryption.
    • Navigate to the AWS Management Console and open the KMS service.
    • Select the same region where the RDS instance resides.
    • Ensure that the encryption key utilized for RDS encryption is correctly configured.

By following these steps, you can ensure that RDS DB snapshots are encrypted at rest to comply with CISA Cyber Essentials guidelines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now