Control: 6.5 Ensure that 'TDE' is set to 'Enabled' on for applicable database instance

Description

Enable Transparent Data Encryption on every RDS instance.

Remediation

From Console

Logon to RDS Console.
In the upper-left corner, select the region of the target instance.
Locate the target instance, and click the instance ID to enter the Basic Information page.
In the left-side navigation pane, click Data Security to go to the Security page.
Click the TDE tab.
On the TDE tab, find TDE Status and click the switch next to Disabled.
In the displayed dialog box, choose automatically generated key or custom key, click Confirm.

Perform the following to Encrypt a table:

For RDS for MySQL, connect to the instance and run the following command to encrypt tables.

alter table <tablename> engine=innodb, block_format=encrypted

For RDS for SQL Server, click Configure TDE, select the databases to encrypt, add them to the right, and click OK.

Perform the following to Decrypt data:

To decrypt a MySQL table encrypted by TDE, run the following command:

alter table <tablename> engine=innodb, block_format=default

To decrypt a SQL Server table encrypted by TDE, click Configure TDE and move the database to the left.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_6_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_6_5 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when tde_status = 'Enabled' then 'ok'
    else 'alarm'
  end as status,
  case
    when tde_status = 'Enabled' then title || ' TDE enabled.'
    else title || ' TDE disabled.'
  end as reason
  
  , account_id as account_id, region as region
from
  alicloud_rds_instance;

Control: 6.5 Ensure that 'TDE' is set to 'Enabled' on for applicable database instance

Description

Remediation

From Console

Usage

SQL

Tags