Description: 

Amazon Relational Database Service(Amazon RDS) is a web service that managed relational database service. It can encrypt your DB instances. For encryption, they use the industry-standard AES-256 algorithm to encrypt your data. 

RDS encrypts your databases using Keys manage with AWS Key Management Service(KMS). RDS is handled transparently to encrypt and decrypt your data with minimal impact on performance.


That makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-scale relational database and manages common database administration tasks. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronically protected health information. Encryption of RDS instances becomes very crucial as part of the overall security posture.


Rationale: 

It is recommended that your RDS instance should be always encrypted in order to prevent potential leaks or misuse of sensitive data and security threats.


Impact:

They provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage.

It increases the data protection of your applications deployed in the cloud and fulfills compliance requirements for encryption at rest.


Default Value:

AWS by default enables the encryption of the RDS database, but you can disable it manually. AWS recommends you always enable encryption as a best practice.


Audit:

First, you check and RDS instance is created or not if it is not created then create an RDS instance or if it already exists then follow the below steps:

Via AWS Console

Step 1: Log in to the AWS Management Console and  navigate to the RDS dashboard at https://console.aws.amazon.com/rds/

Step 2:  In the dashboard panel click on DB Instances

Step 3: Select the DB instance which you want to examine.

Step 4:  Click on the Configuration tab and  in the storage column you can see Encryption either Enabled or Not enabled


If the current status is set to Not enabled selected DB instance is  not encrypted

Step 5: Repeat steps 2 to 4 for each RDS instance for auditing.


Via CLI command:

The following describe-db-instances example retrieves details about the specified DB instance.

aws rds describe-db-instances --db-instance-identifier empl


Remediation:

Pre-Requisite:

  1. You cannot restore an unencrypted backup or snapshot to an encrypted DB instance.

  2. You cannot disable encryption on an encrypted DB instance.

  3. To copy an encrypted snapshot from one AWS Region to another, you must specify the CMK in the destination AWS Region. This is because CMKs are specific to the AWS Region that they are created in.

  4. You must also previously create an encryption key on the AWS KMS tool.



Implementation Steps:

Step 1: Log in to the AWS Management Console and  navigate to the RDS dashboard at https://console.aws.amazon.com/rds/

Step 2: Click on Snapshots in the left navigation pane

Step 3: If Snapshot is not available of any DB instance first you take the Snapshot and then perform the next process for enabling the encryption of RDS instances if you have Snapshots of RDS instances the select snapshot that you want to encrypt.

Step 4: Select the snapshot that you want to encrypt and click on Actions 


Step 5: Select Copy Snapshot


Step 6: Select the Destination Region, then enter your New DB Snapshot Identifier

Step 7: Below the Setting go to Encryption part click on the check box to Enable Encryption and select Master Key from the list here we select default master key(You create your own encryption key for RDS) 

Step 8: Click on Copy snapshot

After the snapshot of the database now you restore this database after the retore this snapshot again you follow the above Auditing step and you can see Encryption is enabled.


Via CLI Command:

If you use the AWS CLI create-db-instance command to create an encrypted DB instance, set the --storage-encrypted parameter to true. If you use the CrateDBInstance API operation, set the StorageEncrypted parameter to true

aws rds create-db-instance \

--db-instance-identifier empl \

 --db-instance-class db.t3.micro \

--engine mysql --master-username admin \

 --master-user-password 12345 \

 --allocated-storage 20 \

 --storage-encrypted true


Back out Plan:

Above Implementation, step is to create a snapshot for an unencrypted snapshot to encrypted snapshot if you want to restore your database without encryption then follow the below step:

Step 1: Log in to the AWS Management Console and  navigate to the RDS dashboard at https://console.aws.amazon.com/rds/

Step 2: After the copy, the snapshot of the unencrypted database’s snapshot you have two snapshots one is encrypted form of database another unencrypted form for same database instance or cluster

Step 3: If do not want to restore the encrypted database then select the previous snapshot of the same database which is not enabled the encryption select the older snapshot

Step 4: Click on the Action menu list and click on Restore snapshot

Step 5: In Restore Snapshot give the DB instance identifier, select your vpc as per your DB instance configure all as your previous database instance configuration, and then click on Restore DB instance


Now you restore your older Database instance which is not encrypted.

Note: This snapshot is taken from your unencrypted database so, that it has not encryption to enable the facility

  1. Once you have created an encrypted DB instance, you can't change the type of encryption key used by that DB instance. Therefore, be sure to determine your encryption key requirements before you create your encrypted DB instance.

  2. You can use the ARN of a key from another account to encrypt a DB instance. Or you might create a DB instance with the same AWS account that owns the AWS KMS encryption key used to encrypt that new DB instance. In this case, the AWS KMS key ID that you pass can be the AWS KMS key alias instead of the key's ARN.

  3. Perform Implementation steps carefully.

  4. After the restore your snapshot, you can delete your older RDS instance to save money.

 

Note: The following table lists DB instance classes that do not support Amazon RDS encryption:

Instance type

Instance class

Instance type

Instance class

General Purpose (M1)

db.m1.small

db.m1.medium

db.m1.large

db.m1.xlarge

Memory Optimized (M2)

db.m2.xlarge

db.m2.2xlarge

db.m2.4xlarge

Burst Capable (T2)

db.t2.micro

 

References:

  1. Encrypting Amazon RDS resources - Amazon Relational Database Service

  2. copy-db-snapshot — AWS CLI 1.19.111 Command Reference

  3. describe-db-instances — AWS CLI 1.19.110 Command Reference 

  4. https://aws.amazon.com/blogs/aws/new-encryption-options-for-amazon-rds/