Detections
Analytics

Ensure storage encryption at rest is enabled for Amazon Relational Database Service (Amazon RDS) instances

HIGH

Description

AWS RDS instances have storage at-rest encryption disabled which may expose sensitive customer data.

Remediation

Storage encryption can be enabled for AWS RDS Instances by using the 'Enable Encryption' option while creating the database instances in the AWS Console. Customer Managed Keys can be used, however once the key is selected it cannot be changed.

In Terraform -

  1. In the aws_db_instance resource, set the storage_encrypted field to true.
  2. To use a specific KMS key, set the kms_key_id field to the ARN of the key to be used.

For more information on RDS database encryption, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance

Policy Details

Rule Reference ID: AC_AWS_0058
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_db_instance
Resource Category: Database
Resource Type: DB Instance

Frameworks