Rule: RDS DB Snapshots Should Be Encrypted at Rest
This rule ensures that RDS database snapshots are encrypted at rest for security reasons.
| Rule | RDS DB snapshots should be encrypted at rest |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
This rule requires that all Amazon RDS (Relational Database Service) DB snapshots are encrypted at rest in order to comply with the NIST 800-53 Revision 5 security standard. Encryption at rest means that the data stored in the snapshot is protected by encryption algorithms, making it unreadable without the decryption key.
Troubleshooting Steps
If RDS DB snapshots are not encrypted at rest, follow these troubleshooting steps:
- 1.
Check the default encryption setting for your RDS instance or snapshot:
- If the default encryption setting is not enabled, you will need to modify the setting to enable encryption for new snapshots or use the AWS Command Line Interface (CLI) to encrypt existing snapshots.
- 2.
Confirm whether encryption is enabled for your RDS instance:
- You can verify the encryption status by checking the AWS Management Console or using the AWS CLI. If encryption is disabled, you will need to enable it.
- 3.
Verify the KMS (Key Management Service) key used for encryption:
- Make sure the KMS key used for encryption is specific to your snapshots and follows the NIST 800-53 Revision 5 guidelines.
- 4.
Ensure that all existing unencrypted DB snapshots are encrypted:
- If you have RDS snapshots that were created before encryption was enabled, you will need to encrypt them by copying the snapshot and enabling encryption during the copy process.
Necessary Codes
If you encounter the issue of RDS DB snapshots not being encrypted at rest, you can use the following AWS CLI command:
aws rds modify-db-snapshot --db-snapshot-identifier YOUR_SNAPSHOT_IDENTIFIER --option-group-name "default:your-option-group" --storage-encrypted
Replace
YOUR_SNAPSHOT_IDENTIFIERStep-by-Step Guide for Remediation
Follow these steps to remediate the issue of RDS DB snapshots not being encrypted at rest:
- 1.
Log in to the AWS Management Console.
- 2.
Open the Amazon RDS service.
- 3.
Select "Snapshots" from the left-hand navigation menu.
- 4.
Identify the DB snapshot that needs encryption and make a note of its identifier.
- 5.
Open the AWS Command Line Interface (CLI) or use the AWS CLI online shell.
- 6.
Execute the following command to modify the DB snapshot and enable encryption:
aws rds modify-db-snapshot --db-snapshot-identifier YOUR_SNAPSHOT_IDENTIFIER --option-group-name "default:your-option-group" --storage-encrypted
Replace
YOUR_SNAPSHOT_IDENTIFIER- 1.Wait for the modification process to complete. You can check the status in the AWS Management Console or by using the command:
aws rds describe-db-snapshots --db-snapshot-identifier YOUR_SNAPSHOT_IDENTIFIER
- 1.
Verify that the DB snapshot is now encrypted by checking its encryption status.
- 2.
Repeat these steps for any other DB snapshots that need to be encrypted at rest.
By following these steps, you will ensure that all RDS DB snapshots are encrypted at rest in compliance with the NIST 800-53 Revision 5 security standard.