Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
2Dashboards
163Benchmarks
65Queries
2Variables
GitHub

Control: 6.6 Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key)

Description

TDE with BYOK support provides increased transparency and control, increased security with an HSM-backed KMS service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key). With BYOK support for TDE, the DEK can be protected with an asymmetric key that is stored in the KMS. Based on business needs or criticality of data, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (BYOK).

Remediation

Using the management console:

  1. Logon to RDS Console.
  2. In the upper-left corner, select the region of the target instance.
  3. Locate the target instance, and click the instance ID to enter the Basic Information page.
  4. In the left-side navigation pane, click Data Security to go to the Security page.
  5. Click the TDE tab.
  6. On the TDE tab, find TDE Status and click the switch next to Disabled.
  7. In the displayed dialog box, choose custom key, click Confirm.

Default Value:

Disabled.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v200_6_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v200_6_6 --share

SQL

This control uses a named query:

select
  r.arn as resource,
  case
    when r.tde_status = 'Enabled' and r.tde_encryption_key is not null and k.key_id is not null and k.creator = k.account_id then 'ok'
    else 'alarm'
  end as status,
  case
    when r.tde_status != 'Enabled' then r.title || ' TDE is not enabled.'
    when r.tde_encryption_key is null then r.title || ' TDE enabled but not using a custom key (BYOK).'
    when k.key_id is null then r.title || ' TDE enabled with key ' || r.tde_encryption_key || ' but key not found in KMS. Verify the key exists and is accessible.'
    when k.creator is null or k.creator != k.account_id then r.title || ' TDE enabled but encryption key is not customer-managed (BYOK). Key creator: ' || coalesce(k.creator, 'unknown') || ', Account ID: ' || coalesce(k.account_id, 'unknown')
    when r.tde_status = 'Enabled' and r.tde_encryption_key is not null and k.creator = k.account_id then r.title || ' TDE enabled with BYOK (custom key ' || k.key_id || ').'
    else r.title || ' TDE not configured with BYOK.'
  end as reason
  
  , r.account_id as account_id, r.region as region
from
  alicloud_rds_instance r
  left join alicloud_kms_key k on r.tde_encryption_key = k.key_id;

Tags

category = Compliance
cis = true
cis_item_id = 6.6
cis_level = 2
cis_section_id = 6
cis_type = automated
cis_version = v2.0.0
plugin = alicloud
service = AliCloud/RDS