AWS RDS Database is not encrypted with the Customer Master Key(CMK)


AWS RDS (Relational Database Service) supports encryption at rest using AWS Key Management Service (KMS). By default, RDS uses the AWS managed KMS key for RDS. While this provides a layer of protection, using a Customer Master Key (CMK) offers a higher degree of control and management capabilities over the encryption process. Not encrypting with a CMK can potentially reduce the granularity of access controls and auditability of key usage, leading to potential compliance and security risks.


1. Encryption with CMK for New RDS Instances:

AWS Management Console:
  • Navigate to the RDS dashboard.
  • Click on "Create database".
  • In the creation wizard, under the "Encryption" section, ensure "Enable encryption" is checked.
  • From the "Master key" dropdown, select your desired Customer Master Key (CMK) or create a new one.
  • Continue with other database settings and click "Create".
aws rds create-db-instance --allocated-storage 20 --db-instance-class db.m4.large --db-instance-identifier YourDBInstanceName --engine mysql --master-username yourmasteruser --master-user-password yourpassword --storage-encrypted --kms-key-id arn:aws:kms:region:account-id:key/your-cmk-id

2. Encryption with CMK for Existing RDS Instances:

For existing RDS instances, you would need to create an encrypted copy of your instance using the desired CMK.

AWS Management Console:
  • Navigate to the RDS dashboard.
  • In the navigation pane, choose "Snapshots".
  • Choose the snapshot of the existing DB instance.
  • Choose "Actions", then "Copy Snapshot".
  • In the "Encryption" section, select "Enable Encryption" and choose your CMK.
  • Click "Copy Snapshot".
  • Once the snapshot copy is completed, create a new RDS instance from the encrypted snapshot.
# Create a snapshot of the existing DB instance
aws rds create-db-snapshot --db-instance-identifier YourDBInstanceName --db-snapshot-identifier YourDBSnapshotName

# Copy the snapshot with encryption using CMK
aws rds copy-db-snapshot --source-db-snapshot-identifier YourDBSnapshotName --target-db-snapshot-identifier YourEncryptedDBSnapshotName --kms-key-id arn:aws:kms:region:account-id:key/your-cmk-id

# Restore a DB instance from the encrypted snapshot
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier YourNewDBInstanceName --db-snapshotidentifier YourEncryptedDBSnapshotName
  • Identify the RDS Database resource in your Terraform configuration.
  • Add the kms_key_id attribute to the RDS Database resource and set it to the ARN of the CMK that you want to use to encrypt the database.
  • Apply the Terraform configuration.
resource "aws_db_instance" "example" {
  identifier = "example-db"
  engine = "mysql"
  engine_version = "8.0.33"

  allocated_storage = 20
  instance_class = "db.t2.medium"

  username = "root"
  password = "password"

  kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-efgh-ijkl-1234567890ab"

Once you have added the kms_key_id attribute and set it to the ARN of the CMK that you want to use to encrypt the database, you can apply the Terraform configuration. Terraform will update the RDS Database to be encrypted with the CMK.

Note: It is important to back up your RDS Database before making any changes to its encryption status.

If you are using a managed Terraform service, such as Terraform Cloud or Terraform Enterprise, you can use a Terraform Plan to preview the changes that will be made before applying them. This can help you to identify any potential problems with your configuration.

3. Monitor and Audit:

AWS Management Console:
  • Navigate to AWS Config.
  • Create a new rule to check for RDS instances not encrypted with a CMK.
  • Also, use AWS CloudTrail to monitor and log usage of your CMKs.

For monitoring, AWS Config SDK or Boto3 in Python would be preferable instead of direct AWS CLI commands.

4. Document and Train:

Ensure internal guidelines mandate the use of CMKs for RDS encryption. Train the technical teams on the importance and implementation of encryption with CMKs.

By following these steps, you can ensure that AWS RDS databases are encrypted using Customer Master Keys, offering better control and auditability over encryption processes.