Control: 4 RDS cluster snapshots and database snapshots should be encrypted at rest
Description
This control checks whether RDS DB snapshots are encrypted.
This control is intended for RDS DB instances. However, it can also generate findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.
Remediation
- Open the Amazon RDS console.
- In the navigation pane, choose
Snapshots
. - Find the snapshot to encrypt under
Manual
orSystem
. - Select the check box next to the snapshot to encrypt.
- Choose
Actions
, then chooseCopy Snapshot
. - Under
New DB Snapshot Identifier
, type a name for the new snapshot. - Under
Encryption
, selectEnable Encryption
. - Choose the KMS key to use to encrypt the snapshot.
- Choose
Copy Snapshot
. - After the new snapshot is created, delete the original snapshot.
- For
Backup Retention Period
, choose a positive nonzero value. For example, 30 days.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_rds_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_rds_4 --share
SQL
This control uses a named query:
rds_db_snapshot_encrypted_at_rest