Rule: RDS DB Instance Encryption at Rest Should Be Enabled
This rule ensures that encryption at rest is enabled for RDS DB instances.
| Rule | RDS DB instance encryption at rest should be enabled |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ Low |
RDS DB Instance Encryption at Rest Requirement for RBI Cyber Security Framework
Description:
The Reserve Bank of India (RBI) has outlined a set of cybersecurity guidelines that organizations must adhere to in order to protect their information assets. One of the key requirements is the encryption of data at rest for all RDS DB instances.
Enabling encryption at rest ensures that the data stored in your RDS DB instances is protected from unauthorized access or compromise. It adds an extra layer of security by encrypting the data on disk using industry-standard encryption algorithms.
Troubleshooting Steps:
If there are any issues encountered while enabling encryption at rest for an RDS DB instance, the following troubleshooting steps can be followed:
- 1.
Verify IAM Permissions: Ensure that the IAM user or role used to enable encryption has the required permissions to modify the RDS DB instance's encryption settings.
- 2.
Check AWS CLI Configuration: Confirm that the AWS CLI is correctly configured with the necessary access keys and region for the RDS DB instance.
- 3.
Check DB Instance Status: Ensure that the RDS DB instance is in an available state before attempting to enable encryption. If the instance is in a different state, troubleshoot accordingly.
- 4.
Verify Encryption Support: Confirm that the RDS DB instance's DB engine version supports encryption at rest. Not all versions of all engines support this feature, so consult the AWS documentation for compatibility information.
- 5.
Check Encryption Key Management Service (KMS) Setup: Ensure that the AWS Key Management Service (KMS) is correctly set up and configured in the same AWS region as the RDS DB instance.
- 6.
Review AWS KMS Permissions: Verify that the IAM user or role being used has the necessary permissions to interact with the KMS service and create or modify encryption keys.
- 7.
Check VPC Peering or Network Connectivity: If the RDS DB instance is in a VPC, confirm that there are no network connectivity issues or VPC peering limitations that may block the encryption process.
Necessary Codes:
There are no specific codes required for enabling RDS DB instance encryption at rest. The process can be performed using the AWS Management Console, AWS CLI, or SDKs.
Step-by-step Guide for Remediation:
- 1.
AWS Management Console:
- Sign in to the AWS Management Console.
- Navigate to the Amazon RDS service.
- Select the desired RDS DB instance.
- Click on the "Modify" button.
- Scroll down to the "Encryption" section.
- Choose the appropriate key from the "Master Key" dropdown or select "AWS managed key" if you want AWS to manage the encryption keys.
- Click on "Continue" and review the changes.
- Click on "Modify DB Instance" to apply the encryption settings.
- Wait for the modification to complete.
- 2.
AWS CLI:
- Open a terminal or command prompt.
- Ensure that the AWS CLI is installed and correctly configured.
- Use the following command to enable encryption at rest for an RDS DB instance:
Replaceaws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --storage-encrypted --apply-immediately
with the actual identifier of the RDS DB instance.<DB_INSTANCE_IDENTIFIER> - Wait for the modification to complete.
- 3.
AWS SDKs:
- Utilize the programming language of choice and the AWS SDK for that language.
- Follow the respective SDK documentation to modify the RDS DB instance's encryption settings.
- Use similar parameters and options as mentioned in the AWS CLI method.
Ensure to validate the successful modification of encryption settings for the RDS DB instance by verifying the console or using the appropriate AWS CLI or SDK command.
By following the above steps, you will be able to enable encryption at rest for your RDS DB instances, meeting the RBI Cyber Security Framework requirements and ensuring the security of your data.