This rule ensures that RDS DB snapshots are encrypted at rest to maintain data security.
Rule | RDS DB snapshots should be encrypted at rest |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ Medium |
RDS DB Snapshots Encryption at Rest for NIST 800-171 Revision 2
Description
In order to comply with the security requirements outlined in NIST 800-171 Revision 2, all RDS (Relational Database Service) DB snapshots must be encrypted at rest. Encryption at rest ensures that if the underlying storage media (volumes) is compromised, the data remains protected and is not accessible in plaintext.
Troubleshooting Steps
If RDS DB snapshots are not encrypted at rest, follow these troubleshooting steps:
Check the encryption status of the RDS DB snapshot:
If the encryption status is "Not Encrypted," proceed to the remediation section below.
Remediation Steps
To encrypt RDS DB snapshots at rest, follow these steps:
Ensure you have necessary permissions:
Enable encryption for new RDS DB snapshots:
Encrypt existing RDS DB snapshots:
Verify encryption status:
AWS CLI Commands (if applicable)
If you prefer to use the AWS CLI to enable encryption for RDS DB snapshots, follow these commands:
aws rds modify-db-snapshot --db-snapshot-identifier [DBSnapshotIdentifier] --engine-version 12.7 --enable-encryption --kms-key-id [KMSKeyID]
Ensure to replace [DBSnapshotIdentifier] with the appropriate value representing the DB snapshot identifier, and [KMSKeyID] with the ARN or alias of the desired KMS encryption key.
aws rds copy-db-snapshot --source-db-snapshot-identifier [SourceDBSnapshotIdentifier] --target-db-snapshot-identifier [TargetDBSnapshotIdentifier] --kms-key-id [KMSKeyID]
Replace [SourceDBSnapshotIdentifier] and [TargetDBSnapshotIdentifier] with the respective source and target DB snapshot identifiers. [KMSKeyID] should be replaced with the ARN or alias of the desired KMS encryption key.
Note: Ensure you have the necessary permissions to execute these CLI commands.
Conclusion
By following the above-described remediation steps and utilizing appropriate AWS CLI commands (if desired), you can enable encryption at rest for RDS DB snapshots to comply with the NIST 800-171 Revision 2 security requirement. Encrypted DB snapshots provide an additional layer of protection to safeguard sensitive data in case of unauthorized access to the underlying storage media.