Description:
Amazon Relational Database Service(Amazon RDS) is a web service that managed relational database service. It can encrypt your DB instances. For encryption, they use the industry-standard AES-256 algorithm to encrypt your data.
RDS encrypts your databases using Keys manage with AWS Key Management Service(KMS). RDS is handled transparently to encrypt and decrypt your data with minimal impact on performance.
That makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-scale relational database and manages common database administration tasks. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronically protected health information. Encryption of RDS instances becomes very crucial as part of the overall security posture.
Rationale:
It is recommended that your RDS instance should be always encrypted to prevent potential leaks or misuse of sensitive data and security threats.
Impact:
They provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage.
It increases the data protection of your applications deployed in the cloud and fulfills compliance requirements for encryption at rest.
Default Value:
AWS by default enables the encryption of the RDS database, but you can disable it manually. AWS recommends you always enable encryption as a best practice.
Pre-Requisite:
You cannot restore an unencrypted backup or snapshot to an encrypted DB instance.
You cannot disable encryption on an encrypted DB instance.
To copy an encrypted snapshot from one AWS Region to another, you must specify the CMK in the destination AWS Region. This is because CMKs are specific to the AWS Region that they are created in.
You must also previously create an encryption key on the AWS KMS tool.
Remediation:
Test Plan:
First, you check and RDS instance is created or not if it is not created then create an RDS instance or if it already exists then follow the below steps:
Via AWS Console
Step 1: Log in to the AWS Management Console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.
Step 2: In the dashboard panel click on DB Instances.
Step 3: Select the DB instance that you want to examine.
Step 4: Click on the Configuration tab and in the storage column you can see Encryption either Enabled or Not enabled
If the current status is set to Not enabled selected DB instance is not encrypted
Step 5: Repeat steps 2 to 4 for each RDS instance for auditing.
Using AWS CLI :
The following describe-db-instances example retrieves details about the specified DB instance.
aws rds describe-db-instances --db-instance-identifier empl
Implementation Steps:
Step 1: Log in to the AWS Management Console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/
Step 2: Click on Snapshots in the left navigation pane
Step 3: If Snapshot is not available of any DB instance first you take the Snapshot and then perform the next process for enabling the encryption of RDS instances if you have Snapshots of RDS instances select snapshot that you want to encrypt.
Step 4: Select the snapshot that you want to encrypt and click on Actions
Step 5: Select Copy Snapshot
Step 6: Select the Destination Region, then enter your New DB Snapshot Identifier
Step 7: Below the Setting go to Encryption part click on the check box to Enable Encryption and select Master Key from the list here we select default master key(You create your encryption key for RDS)
Step 8: Click on Copy snapshot
After the snapshot of the database created now you can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance.
Using AWS CLI :
If you use the AWS CLI create-db-instance command to create an encrypted DB instance, set the --storage-encrypted parameter to true. If you use the CrateDBInstance API operation, set the StorageEncrypted parameter to true
aws rds create-db-instance \ --db-instance-identifier empl \ --db-instance-class db.t3.micro \ --engine mysql --master-username admin \ --master-user-password 12345 \ --allocated-storage 20 \ --storage-encrypted true
Backout Plan:
Above Implementation, step is to create a snapshot for an unencrypted snapshot to encrypted snapshot if you want to restore your database without encryption then follow the below step:
Step 1: Log in to the AWS Management Console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/
Step 2: After the copy, the snapshot of the unencrypted database’s snapshot you have two snapshots one is encrypted form of database another unencrypted form for same database instance or cluster.
Step 3: If do not want to restore the encrypted database then select the previous snapshot of the same database which is not enabled the encryption select the older snapshot.
Step 4: Click on the Action menu list and click on Restore snapshot
Step 5: In Restore Snapshot give the DB instance identifier, select your vpc as per your DB instance configure all as your previous database instance configuration, and then click on Restore DB instance
Now you restore your older Database instance which is not encrypted.
Note: This snapshot is taken from your unencrypted database so, that it has no encryption to enable the facility
Once you have created an encrypted DB instance, you can't change the type of encryption key used by that DB instance. Therefore, be sure to determine your encryption key requirements before you create your encrypted DB instance.
You can use the ARN of a key from another account to encrypt a DB instance. Or you might create a DB instance with the same AWS account that owns the AWS KMS encryption key used to encrypt that new DB instance. In this case, the AWS KMS key ID that you pass can be the AWS KMS key alias instead of the key's ARN.
Perform Implementation steps carefully.
After the restore your snapshot, you can delete your older RDS instance to save money.
Note: The following table lists DB instance classes that do not support Amazon RDS encryption:
Instance type | Instance class |
---|---|
General Purpose (M1) | db.m1.small db.m1.medium db.m1.large db.m1.xlarge |
Memory Optimized (M2) | db.m2.xlarge db.m2.2xlarge db.m2.4xlarge |
Burst Capable (T2) | db.t2.micro |
References:
Encrypting Amazon RDS resources - Amazon Relational Database Service
https://aws.amazon.com/blogs/aws/new-encryption-options-for-amazon-rds/
- https://aws.amazon.com/rds/features/security/
- https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/