AWS RDS Database is not Encrypted

Description:

AWS RDS (Relational Database Service) provides managed database instances for application use. An essential security feature that AWS RDS offers is encryption at rest. When RDS database storage isn't encrypted, data within is vulnerable to unauthorized access, posing a significant security risk, especially with sensitive data. Encryption at rest ensures that data blocks, automated backups, read replicas, and snapshots are encrypted, offering additional data protection.

Remediation:

1. Encryption for New RDS Instances:

AWS Management Console:
  • Navigate to the RDS dashboard.
  • Click on "Create database".
  • In the creation wizard, under the "Encryption" section, ensure "Enable encryption" is checked.
  • Select the appropriate KMS key from the dropdown or create a new one.
  • Continue with other database settings and click "Create".
AWS CLI:
aws rds create-db-instance --allocated-storage 20 --db-instance-class db.m4.large --db-instance-identifier YourDBInstanceName --engine mysql --master-username yourmasteruser --master-user-password yourpassword --storage-encrypted --kms-key-id arn:aws:kms:region:account-id:key/key-id

2. Encryption for Existing RDS Instances:

For existing unencrypted RDS instances, you have to create an encrypted copy.

AWS Management Console:
  • Navigate to the RDS dashboard.
  • In the navigation pane, choose "Snapshots".
  • Choose the snapshot of the unencrypted DB instance.
  • Choose "Actions", then "Copy Snapshot".
  • In the "Encryption" section, select "Enable Encryption" and choose a KMS key.
  • Click "Copy Snapshot".
  • Once the snapshot copy is completed, create a new RDS instance from the encrypted snapshot.
AWS CLI:
# Create a snapshot of the unencrypted DB instance
aws rds create-db-snapshot --db-instance-identifier YourDBInstanceName --db-snapshot-identifier YourDBSnapshotName

# Copy the snapshot with encryption
aws rds copy-db-snapshot --source-db-snapshot-identifier YourDBSnapshotName --target-db-snapshot-identifier YourEncryptedDBSnapshotName --kms-key-id arn:aws:kms:region:account-id:key/key-id

# Restore a DB instance from the encrypted snapshot
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier YourNewDBInstanceName --db-snapshot-identifier YourEncryptedDBSnapshotName
Terraform:
resource "aws_db_instance" "example" {
  identifier = "example-db"
  engine = "mysql"
  engine_version = "8.0.33"

  allocated_storage = 20
  instance_class = "db.t2.medium"

  username = "root"
  password = "password"

  storage_encrypted = true
}

3. Monitor and Audit:

AWS Management Console:
  • Navigate to CloudWatch.
  • Create a new alarm to notify if any RDS instance is launched without encryption.
  • Alternatively, navigate to AWS Config and create a new rule to check for unencrypted RDS instances.
AWS CLI:

You'd generally use AWS Config SDK or Boto3 in Python for this, instead of direct AWS CLI commands for monitoring and setting up rules.

4. Document and Train:

Ensure guidelines mandate encrypted RDS storage. Train teams about the importance of encryption and its implementation.

By following the provided steps, you can ensure AWS RDS database storage is encrypted, minimizing unauthorized data access risks.

Updated 5 months ago