v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 2.2.1 Ensure that encryption-at-rest is enabled for RDS Instances

Description

Amazon RDS encrypted DB instances use the industry-standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles the authentication of access and the decryption of your data transparently, with minimal impact on performance.

Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.

Remediation

From Console:

  1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.
  2. In the left navigation panel, click on Databases.
  3. Select the Database instance that needs to be encrypted.
  4. Click on Actions button placed at the top right and select Take Snapshot.
  5. On the Take Snapshot page, enter the name of the database for which you want to take a snapshot in the Snapshot Name field and click on Take Snapshot.
  6. Select the newly created snapshot, click the Action button placed at the top right, and select Copy snapshot from the Action menu.
  7. On the Make Copy of DB Snapshot page, perform the following:
  • In the New DB Snapshot Identifier field, Enter a name for the new snapshot.
  • Check Copy Tags, New snapshot must have the same tags as the source snapshot.
  • Select Yes from the Enable Encryption dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.
  1. Click Copy Snapshot to create an encrypted copy of the selected instance's snapshot.
  2. Select the new Snapshot Encrypted Copy and click on the Action button placed at the top right. Then, select Restore Snapshot button from the Action menu, This will restore the encrypted snapshot to a new database instance.
  3. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field.
  4. Review the instance configuration details and click Restore DB Instance.
  5. As the new instance provisioning process is completed, you can update the application configuration to refer to the endpoint of the new encrypted database instance. Once the database endpoint is changed at the application level, you can remove the unencrypted instance.

From Command Line:

  1. Run the describe-db-instances command to list the names of all RDS database instances in the selected AWS region. The command output should return database instance identifiers:
aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'
  1. Run the create-db-snapshot command to create a snapshot for a selected database instance. The command output will return the new snapshot with name DB Snapshot Name:
aws rds create-db-snapshot --region <region-name> --db-snapshot-identifier <db-snapshot-name> --db-instance-identifier <db-name>
  1. Now run list-aliases command to list the KMS keys aliases available in a specified region, The command output should return each key alias currently available. For our RDS encryption the activation process, locate the ID of the AWS default KMS key:
aws kms list-aliases --region <region-name>
  1. Run copy-db-snapshot command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot. The command output will return the encrypted instance snapshot configuration:
aws rds copy-db-snapshot --region <region-name> --source-db-snapshot-identifier <db-snapshot-name> --target-db-snapshot-identifier <db-snapshot-name-encrypted> --copy-tags --kms-key-id <kms-id-for-rds>
  1. Run restore-db-instance-from-db-snapshot command to restore the encrypted snapshot created at the previous step to a new database instance. If successful, the command output should return the configuration of the new encrypted database instance:
aws rds restore-db-instance-from-db-snapshot --region <region-name> --db-instance-identifier <db-name-encrypted> --db-snapshot-identifier <db-snapshot-name-encrypted>
  1. Run describe-db-instances command to list all RDS database names, available in the selected AWS region, output will return database instance identifier name. Select encrypted database name that we just created DB-Name-Encrypted:
aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'
  1. Run again describe-db-instances command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, the command output should return the encryption status True:
aws rds describe-db-instances --region <region-name> --db-instance-identifier <db-name-encrypted> --query 'DBInstances[*].StorageEncrypted'

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v400_2_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v400_2_2_1 --share

SQL

This control uses a named query:

rds_db_instance_encryption_at_rest_enabled

Tags

category = Compliance
cis = true
cis_item_id = 2.3.1
cis_level = 1
cis_section_id = 2.2
cis_type = automated
cis_version = v4.0.0
plugin = aws
service = AWS/RDS