Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS DB Snapshots Should Be Encrypted at Rest

This rule ensures that RDS DB snapshots are encrypted at rest to maintain data security.

RuleRDS DB snapshots should be encrypted at rest
FrameworkNIST 800-171 Revision 2
Severity
Medium

RDS DB Snapshots Encryption at Rest for NIST 800-171 Revision 2

Description

In order to comply with the security requirements outlined in NIST 800-171 Revision 2, all RDS (Relational Database Service) DB snapshots must be encrypted at rest. Encryption at rest ensures that if the underlying storage media (volumes) is compromised, the data remains protected and is not accessible in plaintext.

Troubleshooting Steps

If RDS DB snapshots are not encrypted at rest, follow these troubleshooting steps:

  1. 1.

    Check the encryption status of the RDS DB snapshot:

    • Navigate to the AWS Management Console.
    • Go to the Amazon RDS service.
    • Select "Snapshots" from the left-hand menu.
    • Locate the DB snapshot in question and check the "Encryption" column.
  2. 2.

    If the encryption status is "Not Encrypted," proceed to the remediation section below.

Remediation Steps

To encrypt RDS DB snapshots at rest, follow these steps:

  1. 1.

    Ensure you have necessary permissions:

    • Verify that you have the required AWS Identity and Access Management (IAM) permissions to modify the encryption settings for RDS DB snapshots.
  2. 2.

    Enable encryption for new RDS DB snapshots:

    • Navigate to the AWS Management Console.
    • Go to the Amazon RDS service.
    • Select "Snapshots" from the left-hand menu.
    • Click on "Encryption Settings" from the top menu.
    • Ensure that the "Enable encryption for new DB snapshots" option is selected.
    • Choose the appropriate AWS Key Management Service (KMS) encryption key. If no key exists, create one by following AWS KMS documentation.
    • Click "Save" to apply the encryption settings.
  3. 3.

    Encrypt existing RDS DB snapshots:

    • To encrypt existing RDS DB snapshots, you need to create a copy of each snapshot with encryption enabled.
    • Navigate to the AWS Management Console.
    • Go to the Amazon RDS service.
    • Select "Snapshots" from the left-hand menu.
    • Choose the DB snapshot you want to encrypt and click on the "Copy Snapshot" action.
    • In the "Copy Snapshot" window, select the appropriate AWS KMS encryption key.
    • Enable the encryption option.
    • Provide a new name for the encrypted snapshot.
    • Click "Copy Snapshot" to start the process.
    • Repeat these steps for each DB snapshot that requires encryption.
  4. 4.

    Verify encryption status:

    • After the encryption process is complete, verify the encryption status of the RDS DB snapshots using the troubleshooting steps mentioned above.

AWS CLI Commands (if applicable)

If you prefer to use the AWS CLI to enable encryption for RDS DB snapshots, follow these commands:

  1. 1.
    Enable encryption for new RDS DB snapshots:
aws rds modify-db-snapshot --db-snapshot-identifier [DBSnapshotIdentifier] --engine-version 12.7 --enable-encryption --kms-key-id [KMSKeyID]

Ensure to replace [DBSnapshotIdentifier] with the appropriate value representing the DB snapshot identifier, and [KMSKeyID] with the ARN or alias of the desired KMS encryption key.

  1. 1.
    Encrypt existing RDS DB snapshots:
aws rds copy-db-snapshot --source-db-snapshot-identifier [SourceDBSnapshotIdentifier] --target-db-snapshot-identifier [TargetDBSnapshotIdentifier] --kms-key-id [KMSKeyID]

Replace [SourceDBSnapshotIdentifier] and [TargetDBSnapshotIdentifier] with the respective source and target DB snapshot identifiers. [KMSKeyID] should be replaced with the ARN or alias of the desired KMS encryption key.

Note: Ensure you have the necessary permissions to execute these CLI commands.

Conclusion

By following the above-described remediation steps and utilizing appropriate AWS CLI commands (if desired), you can enable encryption at rest for RDS DB snapshots to comply with the NIST 800-171 Revision 2 security requirement. Encrypted DB snapshots provide an additional layer of protection to safeguard sensitive data in case of unauthorized access to the underlying storage media.

Is your System Free of Underlying Vulnerabilities?
Find Out Now