Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

RDS DB Instance Encryption at Rest Enabled Rule

This rule ensures encryption at rest is enabled for RDS DB instances.

RuleRDS DB instance encryption at rest should be enabled
FrameworkNIST 800-53 Revision 5
Severity
Low

Rule Description

RDS DB instance encryption at rest should be enabled for NIST 800-53 Revision 5.

To comply with NIST 800-53 Revision 5 security guidelines, it is essential to enable encryption at rest for Amazon RDS DB instances. Encryption at rest ensures that data stored in the database remains secure and cannot be accessed by unauthorized individuals.

Enabling encryption at rest for RDS DB instances adds an additional layer of protection to safeguard sensitive information, such as customer data, intellectual property, financial records, or any other confidential data stored in the database. Using encryption for data at rest helps organizations meet compliance requirements and ensures the confidentiality and integrity of their data.

Troubleshooting

If encryption at rest is not enabled for RDS DB instances, follow the steps below to troubleshoot and remediate the issue:

  2. 1.

    Check existing encryption status: Verify the encryption status of the RDS DB instance. You can do this by navigating to the RDS console, selecting the DB instance, and checking the "Storage" section. If encryption is not already enabled, it will need to be enabled.

  4. 2.

    Check master key availability: Ensure that you have an appropriate master key for encrypting the database. If you don't have a master key, you can create one using AWS Key Management Service (KMS).

  6. 3.

    Modify the RDS DB instance: To enable encryption at rest for an existing RDS DB instance, follow these steps:

    • Open the AWS Management Console and navigate to the Amazon RDS service.
    • Select the appropriate region.
    • Choose the DB instance for which you want to enable encryption.
    • Click on "Modify" to change the settings of the DB instance.
    • Under the "Storage" section, select the option for "Encrypt storage".
    • Choose the appropriate AWS KMS key for encryption.
    • Click on "Apply immediately" to apply the changes.
  8. 4.

    Verify encryption: Once the modification is complete, verify that encryption at rest is enabled by checking the DB instance details. The encryption status should now indicate that it is enabled.

Necessary Code

If you prefer to automate the process using AWS CLI or SDK instead of the AWS Management Console, you can use the following AWS CLI command to modify the RDS DB instance and enable encryption at rest:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --storage-encrypted --apply-immediately

Replace 

<db-instance-id>
with the actual identifier of your RDS DB instance. This command will modify the instance to enable encryption at rest and apply the changes immediately.

Remediation Steps

Follow these step-by-step guidelines to remediate the issue and enable encryption at rest for your RDS DB instance:

  2. 1.

    Step 1: Open the AWS Management Console

    • Go to the AWS Management Console and sign in to your AWS account.
  4. 2.

    Step 2: Navigate to the Amazon RDS service

    • In the AWS Management Console, search for "RDS" or navigate to the "Database" section.
    • Click on "Amazon RDS" to access the RDS service.
  6. 3.

    Step 3: Select the appropriate region

    • Ensure that you've selected the correct AWS region where your RDS DB instance is located.
    • Some organizations have multiple regions, so it's important to choose the appropriate region.
  8. 4.

    Step 4: Choose the RDS DB instance

    • From the list of available DB instances, find and select the RDS DB instance that needs encryption enabled.
  10. 5.

    Step 5: Modify the DB instance

    • Click on the "Modify" button to change the settings of the selected DB instance.
    • This will open up the modification form for the instance.
  12. 6.

    Step 6: Enable encryption at rest

    • Scroll down to the "Storage" section in the modification form.
    • Check the box for "Encrypt storage" to enable encryption at rest for the instance.
    • A dropdown menu will appear to select the AWS KMS key.
  14. 7.

    Step 7: Choose the AWS KMS key

    • Select the appropriate AWS KMS key from the dropdown menu.
    • If you don't have a suitable KMS key, you can create one by following the AWS KMS documentation.
  16. 8.

    Step 8: Apply the changes immediately

    • Click on the "Apply immediately" checkbox to ensure the changes take effect immediately.
    • Enabling encryption at rest doesn't require a DB instance reboot or downtime.
  18. 9.

    Step 9: Review and save the changes

    • Double-check all the modification settings to ensure they are correct.
    • After verifying everything, click on the "Modify DB instance" button to apply the changes.
  20. 10.

    Step 10: Verify encryption status

    • Once the modification is complete, navigate to the RDS DB instance details page.
    • In the "Storage" section, you should see the encryption status as "Enabled".
    • This confirms that encryption at rest is enabled for the DB instance.

By following these steps, you have successfully enabled encryption at rest for your RDS DB instance, ensuring compliance with NIST 800-53 Revision 5 security guidelines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now