This rule ensures that RDS DB snapshots are encrypted while at rest, promoting data security measures.
Rule | RDS DB snapshots should be encrypted at rest |
Framework | GxP 21 CFR Part 11 |
Severity | ✔ Medium |
Rule Summary
RDS (Relational Database Service) DB snapshots should be encrypted at rest to comply with GxP (Good Practice) requirements specified in 21 CFR Part 11. This regulation ensures the integrity, authenticity, and confidentiality of electronic records and signatures used in FDA-regulated industries.
Description
Encrypting RDS DB snapshots ensures that the data stored in those snapshots is protected from unauthorized access or disclosure. GxP 21 CFR Part 11 mandates appropriate security controls for electronic records, including encryption measures to prevent data breaches or tampering.
Enabling encryption at rest for RDS DB snapshots provides an additional layer of protection to meet regulatory requirements and ensures that confidential or sensitive information is safeguarded from potential threats.
Troubleshooting Steps
If RDS DB snapshots are not encrypted at rest, you may encounter issues during regulatory audits or risk potential data breaches. To troubleshoot, follow these steps:
Verify Encryption Status: Check the current encryption status of RDS DB snapshots by navigating to the AWS RDS management console. Select the RDS instance, and under the "Snapshots" tab, validate if encryption is enabled.
Confirm Compliance: Review the applicable requirements of GxP 21 CFR Part 11 to ensure that encryption at rest is explicitly mentioned. If the regulation mandates encryption, proceed with the following steps.
Create Encrypted DB Snapshots: If encryption is not already enabled, you need to create encrypted DB snapshots. Follow the AWS documentation or use the AWS Command Line Interface (CLI) with the appropriate command, such as:
aws rds create-db-snapshot --db-instance-identifier <instance-identifier> --db-snapshot-identifier <snapshot-identifier> --encrypted
Remediation Steps
To remediate the issue and encrypt RDS DB snapshots at rest:
Identify Target RDS Instance: Determine the RDS DB instance that requires encrypted snapshots. Make a note of the instance identifier.
Enable Encryption: There are two options to enable encryption for RDS DB snapshots: either through the AWS Management Console or using AWS CLI.
a. Enable Encryption via Console:
b. Enable Encryption via AWS CLI:
aws rds modify-db-instance --db-instance-identifier <instance-identifier> --storage-encrypted --apply-immediately
Verify Encryption Status: After applying the changes, navigate to the AWS RDS management console and select the modified RDS DB instance. Validate that the "Storage Encrypted" field displays the status as "Yes".
Create Encrypted DB Snapshots: To ensure future snapshots are encrypted, you will need to create new ones. Refer to the previous "Troubleshooting Steps" section for details on creating encrypted DB snapshots.
Conclusion
Encrypting RDS DB snapshots at rest is essential for complying with GxP 21 CFR Part 11. By following the troubleshooting and remediation steps outlined above, you can ensure that your RDS DB snapshots are encrypted and meet the necessary regulatory requirements. Remember to validate the encryption status and regularly audit your RDS instances to maintain compliance.