Control: 3.2.1 Ensure that encryption-at-rest is enabled for RDS instances
Description
Amazon RDS encrypted DB instances use the industry-standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles the authentication of access and the decryption of your data transparently, with minimal impact on performance.
Remediation
From Console:
- Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.
- In the left navigation panel, click on
Databases
. - Select the Database instance that needs to be encrypted.
- Click the
Actions
button placed at the top right and selectTake Snapshot.
- On the Take Snapshot page, enter the name of the database for which you want to take a snapshot in the
Snapshot Name
field and click onTake Snapshot.
- Select the newly created snapshot, click the
Action
button placed at the top right, and selectCopy snapshot
from the Action menu. - On the Make Copy of DB Snapshot page, perform the following:
- In the New DB Snapshot Identifier field, enter a name for the new snapshot.
- Check Copy Tags. The new snapshot must have the same tags as the source snapshot.
- Select Yes from the Enable Encryption dropdown list to enable encryption. You can choose to use the AWS default encryption key or a custom key from the Master Key dropdown list.
- Click
Copy Snapshot
to create an encrypted copy of the selected instance's snapshot. - Select the new Snapshot Encrypted Copy and click the
Action
button located at the top right. Then, select theRestore Snapshot
option from the Action menu. This will restore the encrypted snapshot to a new database instance. - On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field.
- Review the instance configuration details and click
Restore DB Instance.
- As the new instance provisioning process is completed, you can update the application configuration to refer to the endpoint of the new encrypted database instance. Once the database endpoint is changed at the application level, you can remove the unencrypted instance.
From Command Line:
- Run the describe-db-instances command to list the names of all RDS database instances in the selected AWS region. The command output should return database instance identifiers:
aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'
- Check if the specified RDS instance is encrypted. If it shows false, it means it is not yet encrypted:
aws rds describe-db-instances --region <region-name> --db-instance-identifier --query 'DBInstances[*].StorageEncrypted'
- Run the create-db-snapshot command to create a snapshot for a selected database instance. The command output will return the new snapshot with name DB Snapshot Name:
aws rds create-db-snapshot --region <region-name> --db-snapshot-identifier <db-snapshot-name> --db-instance-identifier <db-name>
- Now run the
list-aliases
command to list the KMS key aliases available in a specified region. The command output should return eachkey alias
currently available
. For our RDS encryption activation process, locate the ID of the AWS default KMS key:
aws kms list-aliases --region <region-name>
- Run the copy-db-snapshot command using the default KMS key ID for the RDS instances returned earlier to create an encrypted copy of the database instance snapshot. The command output will return the encrypted instance snapshot configuration:
aws rds copy-db-snapshot --region <region-name> --source-db-snapshotidentifier <db-snapshot-name> --target-db-snapshot-identifier <db-snapshotname-encrypted> --copy-tags --kms-key-id <kms-id-for-rds>
- Run the restore-db-instance-from-db-snapshot command to restore the encrypted snapshot created in the previous step to a new database instance. If successful, the command output should return the configuration of the new encrypted database instance. If using the default VPC for the database network:
aws rds restore-db-instance-from-db-snapshot --region <region-name> --dbinstance-identifier <db-name-encrypted> --db-snapshot-identifier <dbsnapshot-name-encrypted>
If you created your own VPC and Subnets, you need to create a DB subnet group:
aws rds create-db-subnet-group --db-subnet-group-name <db-subnet-group-name>--db-subnet-group-description <db-subnet-group-description> --subnet-ids'["<subnet-id-1>","<subnet-id-2>","<subnet-id-3>"]'
Restore the encrypted snapshot to an RDS database instance using the specified DB subnet group. The new instance will be encrypted using the KMS key specified during the snapshot copy:
aws rds restore-db-instance-from-db-snapshot --region <region-name> --dbsubnet-group-name <db-subnet-group-name> --db-instance-identifier <db-nameencrypted> --db-snapshot-identifier <db-snapshot-name-encrypted>
- Run the describe-db-instances command to list all RDS database names available in the selected AWS region. The output will return the database instance identifier names. Select the encrypted database name that we just created, db-name-encrypted:
aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'
- Run the describe-db-instances command again using the RDS instance identifier returned earlier to determine if the selected database instance is encrypted. The command output should indicate that the encryption status is True:
aws rds describe-db-instances --region <region-name> --db-instance-identifier <db-name-encrypted> --query 'DBInstances[*].StorageEncrypted'
Default Value:
By default, Amazon RDS instances are created without encryption at rest. Encryption must be explicitly enabled at instance creation or by restoring from an encrypted snapshot.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_3_2_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_3_2_1 --share
SQL
This control uses a named query:
select arn as resource, case when storage_encrypted then 'ok' else 'alarm' end as status, case when storage_encrypted then title || ' encrypted at rest.' else title || ' not encrypted at rest.' end as reason , region, account_idfrom aws_rds_db_instance;