Control: 6.5 Ensure that 'TDE' is set to 'Enabled' on for applicable database instance


Enable Transparent Data Encryption on every RDS instance.


From Console

  1. Logon to RDS Console.
  2. In the upper-left corner, select the region of the target instance.
  3. Locate the target instance, and click the instance ID to enter the Basic Information page.
  4. In the left-side navigation pane, click Data Security to go to the Security page.
  5. Click the TDE tab.
  6. On the TDE tab, find TDE Status and click the switch next to Disabled.
  7. In the displayed dialog box, choose automatically generated key or custom key, click Confirm.

Perform the following to Encrypt a table:

  • For RDS for MySQL, connect to the instance and run the following command to encrypt tables.
alter table <tablename> engine=innodb, block_format=encrypted
  • For RDS for SQL Server, click Configure TDE, select the databases to encrypt, add them to the right, and click OK.

Perform the following to Decrypt data:

  • To decrypt a MySQL table encrypted by TDE, run the following command:
alter table <tablename> engine=innodb, block_format=default
  • To decrypt a SQL Server table encrypted by TDE, click Configure TDE and move the database to the left.


Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_6_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_6_5 --share


This control uses a named query: