1.4 Ensure Databases running on RDS have encryption at rest enabled


Amazon RDS instances and snapshots can be encrypted at rest by enabling the encryption option on the Amazon RDS DB instance. Data that is encrypted at rest includes the underlying storage for a DB instance, its automated backups, read replicas, and snapshots. It is recommended that encryption at rest be enabled.
Enabling encryption at rest will help ensure that the confidentiality of data stored in RDS, snapshots, and backups, is maintained.


Using the Amazon unified CLI:

* Perform a snapshot of the DB instance:

aws rds create-db-snapshot --db-snapshot-identifier _<db_snapshot>_ --db-instance-identifier _<your_db_instance>_

* Confirm created snapshot is available (once snapshot process has completed):

aws rds describe-db-snapshots --query 'DBSnapshots[*].{DBSnapshotIdentifier:DBSnapshotIdentifier, DBInstanceIdentifier:DBInstanceIdentifier, Snapshotstatus:Status}'

* List all KMS Customer Managed Keys:

aws kms list-aliases

* Copy to source RDS snapshot (from previous step) to a destination snapshot which will be encrypted:

aws rds copy-db-snapshot --source-db-snapshot-identifier _<db_snapshot>_ --target-db-snapshot-identifier _<encrypted_db_snapshot>_ --kms-key-id _<data_tier_kms_key>_

* Restore a snapshot to the target DB instance(from previous step) with same values as original db instance with additional encrypted storage values:

aws rds restore-db-instance-from-db-snapshot --db-instance-identifier _<your_db_instance>_ --db-snapshot-identifier _<encrypted_db_snapshot>_

See Also


Item Details


References: 800-53|SC-28(1)

Plugin: amazon_aws

Control ID: efcf40409a171482d9885abf8cddd2b3953bba9c2d833be5e1483e4b2d046c62