Critical

Ensure RDS database instances have storage encryption enabled

Security & Compliance
Description

To ensure compliance with data-at-rest encryption requirements for sensitive and critical data held in production databases, it is highly recommended to enable encryption. When RDS encryption is enabled, all data stored on the underlying storage of the instance, automated backups, Read Replicas, and snapshots become encrypted. AWS KMS manages and protects the RDS encryption keys, which implement the AES-256 algorithm. Please note that not all database instance types support AWS RDS encryption. Currently, the instance types that support encryption are: db.t2.large, db.m3.medium to db.m3.2xlarge, db.m4.large to db.m4.10xlarge, db.r3.large to db.r3.8xlarge and db.cr1.8xlarge. To fulfill compliance requirements for data-at-rest encryption, ensure that your RDS database instances are encrypted. Encryption and decryption of RDS data are handled transparently and do not require any additional action from you or your application.

Remediation

Here are the remediation steps to ensure that your RDS database instances are encrypted:

  1. Identify the RDS database instances that need to be encrypted.
  2. Verify that the instance types support encryption. The following instance types currently support encryption: db.t2.large, db.m3.medium to db.m3.2xlarge, db.m4.large to db.m4.10xlarge, db.r3.large to db.r3.8xlarge and db.cr1.8xlarge.
  3. Enable RDS encryption for the identified instances. You can enable encryption during the instance creation or modify an existing instance to enable encryption.
  4. Configure the AWS KMS encryption key settings for the RDS instance. You can choose to use the default key provided by AWS or create your own AWS KMS key for added control.
  5. Verify that the RDS instance, underlying storage, automated backups, Read Replicas, and snapshots are all encrypted. You can check the encryption status of your RDS instance in the AWS Management Console.
  6. Update any relevant documentation or policies to reflect the changes made to encrypt the RDS database instances.
  7. Monitor the RDS instances to ensure that they remain encrypted and address any issues that may arise.
Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.