Detections
Analytics

3.2.1 Ensure that encryption-at-rest is enabled for RDS instances

Information

Amazon RDS encrypted DB instances use the industry-standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles the authentication of access and the decryption of your data transparently, with minimal impact on performance.

Databases are likely to hold sensitive and critical data; therefore, it is highly recommended to implement encryption to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots are all encrypted.

Solution

From Console:

 - Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.
 - In the left navigation panel, click on Databases.
 - Select the Database instance that needs to be encrypted.
 - Click the Actions button placed at the top right and select Take Snapshot.
 - On the Take Snapshot page, enter the name of the database for which you want to take a snapshot in the Snapshot Name field and click on Take Snapshot.
 - Select the newly created snapshot, click the Action button placed at the top right, and select Copy snapshot from the Action menu.
 - On the Make Copy of DB Snapshot page, perform the following:

 - In the New DB Snapshot Identifier field, enter a name for the new snapshot.
 - Check Copy Tags . The new snapshot must have the same tags as the source snapshot.
 - Select Yes from the Enable Encryption dropdown list to enable encryption. You can choose to use the AWS default encryption key or a custom key from the Master Key dropdown list.

 - Click Copy Snapshot to create an encrypted copy of the selected instance's snapshot.
 - Select the new Snapshot Encrypted Copy and click the Action button located at the top right. Then, select the Restore Snapshot option from the Action menu. This will restore the encrypted snapshot to a new database instance.
 - On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field.
 - Review the instance configuration details and click Restore DB Instance.
 - After the new instance is provisioned:

 - Update application configuration to use the new encrypted database endpoint
 - Remove the unencrypted instance once migration is complete

Note: This remediation procedure assumes that the database has been taken offline (or operating in read-only mode) and is static when the snapshot is taken. If the database is still in use, any changes made between the time the snapshot is made and the new encrypted database is brought online will be lost.

For production databases, consider implementing replication or planned downtime to ensure data consistency during migration.

From Command Line:

 - List all RDS database instances:

aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'
 - Check if the instance is encrypted:

aws rds describe-db-instances --region <region-name> --db-instance-identifier --query 'DBInstances[*].StorageEncrypted'
 - Create a snapshot:

aws rds create-db-snapshot --region <region-name> --db-snapshot-identifier <db-snapshot-name> --db-instance-identifier <db-name>
 - List KMS key aliases:

aws kms list-aliases --region <region-name>
 - Create an encrypted copy of the snapshot:

aws rds copy-db-snapshot --region <region> \\
 --source-db-snapshot-identifier <source-snapshot> \\
 --target-db-snapshot-identifier <target-snapshot> \\
 --copy-tags \\
 --kms-key-id <kms-key-id>
 - Restore the encrypted snapshot (default VPC):

aws rds restore-db-instance-from-db-snapshot --region <region> \\
 --db-instance-identifier <new-db-name> \\
 --db-snapshot-identifier <snapshot-name>
 - (Optional) Create a DB subnet group (if using custom VPC):

aws rds create-db-subnet-group \\
 --db-subnet-group-name <name> \\
 --db-subnet-group-description <description> \\
 --subnet-ids '["subnet-1","subnet-2","subnet-3"]'
 - Restore using the subnet group:

aws rds restore-db-instance-from-db-snapshot --region <region> \\
 --db-subnet-group-name <subnet-group> \\
 --db-instance-identifier <new-db-name> \\
 --db-snapshot-identifier <snapshot-name>
 - Verify the new database instance:

aws rds describe-db-instances --region <region> --query 'DBInstances[*].DBInstanceIdentifier'
 - Confirm encryption is enabled:

aws rds describe-db-instances --region <region> \\
 --db-instance-identifier <db-name> \\
 --query 'DBInstances[*].StorageEncrypted'

See Also

https://workbench.cisecurity.org/benchmarks/24575

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: amazon_aws

Control ID: 4c1e6f35efbae630dbb544c5460d3c1f46c194bcc4cc87db463087170b7f0a0a