Ensure RDS DB instance encryption at rest is enabled to maintain data security.
Rule | RDS DB instance encryption at rest should be enabled |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ Low |
Rule Description
RDS DB instance encryption at rest should be enabled for NIST 800-53 Revision 5 is a security requirement that mandates the use of data encryption for Amazon RDS (Relational Database Service) instances. This rule aligns with the NIST (National Institute of Standards and Technology) Special Publication 800-53 Revision 5 guidelines, which emphasize the need for encryption to protect sensitive information stored in databases. By enforcing this rule, organizations can enhance the security of their RDS databases and comply with industry standards.
Troubleshooting Steps
If the RDS DB instance encryption at rest is not enabled, follow these troubleshooting steps to rectify the issue:
Verify the current encryption status: Check if encryption is already enabled for the RDS DB instance. You can do this through the AWS Management Console, AWS CLI, or SDKs.
Enable encryption at rest: If encryption is not yet enabled, you need to configure it for the RDS DB instance. Ensure that you have the appropriate permissions to modify the RDS instance settings.
Generate or import a master key: To enable encryption, you need to create or import a master key. AWS Key Management Service (KMS) is used to manage the encryption keys. You can create a new key or use an existing key in the same region as the RDS instance.
Configure RDS DB instance encryption: Once you have a master key, enable encryption for the RDS DB instance by modifying its settings. Update the instance's encryption attribute to use the KMS key generated/imported in the previous step.
Test encryption: After enabling encryption, test the RDS DB instance to ensure it functions properly. Access and verify the data stored in the database to confirm that encryption has not caused any issues.
Necessary Codes
If you prefer to perform the troubleshooting steps using AWS CLI, here are the necessary codes for enabling encryption at rest for an RDS DB instance:
Create or import a KMS master key:
aws kms create-key --region <region-name>
Enable encryption for the RDS DB instance:
aws rds modify-db-instance --db-instance-identifier <db-instance-identifier> \ --region <region-name> \ --storage-encrypted \ --kms-key-id <kms-key-id>
Replace
<db-instance-identifier>
with the identifier of your RDS instance, <region-name>
with the desired AWS region, and <kms-key-id>
with the Amazon Resource Name (ARN) of the KMS key you created/imported.Verify encryption status:
aws rds describe-db-instances --db-instance-identifier <db-instance-identifier> --region <region-name> --query "DBInstances[*].StorageEncrypted"
Replace
<db-instance-identifier>
with the identifier of your RDS instance and <region-name>
with the desired AWS region.Step-by-Step Guide for Remediation
Follow these step-by-step instructions to enable encryption at rest for an RDS DB instance using the AWS Management Console:
By following these steps, you can enable encryption at rest for your RDS DB instance and comply with the NIST 800-53 Revision 5 security requirement.