Control: RDS DB clusters should be encrypted with CMK

Description

Ensure RDS DB cluster is encrypted using CMK. The rule is non-compliant if the RDS DB cluster is not encrypted using CMK.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.rds_db_cluster_encrypted_with_cmk

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.rds_db_cluster_encrypted_with_cmk --share

SQL

This control uses a named query:

with rds_clusters as (
  select
    arn,
    region,
    account_id,
    kms_key_id,
    storage_encrypted,
    title,
    tags,
    _ctx
  from
    aws_rds_db_cluster
), kms_keys as (
  select
    k.arn,
    k.key_manager,
    k.enabled
  from
    aws_kms_key as k
)
select
  r.arn as resource,
  case
    when not storage_encrypted then 'alarm'
    when storage_encrypted and c.key_manager = 'CUSTOMER' then 'ok'
    else 'alarm'
  end as status,
  case
    when not storage_encrypted then title || ' not encrypted.'
    when storage_encrypted and c.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.'
    else title || ' not encrypted with CMK.'
  end as reason
  
  , region, account_id
from
  rds_clusters as r
  left join kms_keys as c on r.kms_key_id = c.arn;

Control: RDS DB clusters should be encrypted with CMK

Description

Usage

SQL

Tags