Description: 

Amazon RDS can encrypt your Amazon RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots. 

Ensure that your Amazon Relational Database Service (RDS) snapshots are encrypted in order to achieve compliance for data-at-rest encryption within your organization. The RDS snapshot encryption and decryption process is handled transparently and does not require any additional action from you or your application.


Rational:

The RDS snapshot encryption and decryption process is handled transparently and does not require any additional action from you or your application. The keys used for AWS RDS database snapshot encryption can be entirely managed and protected by the Amazon Web Services key management infrastructure or fully managed by the AWS customer through CMKs.


Impact:

Amazon RDS encrypted DB instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. You can use Amazon RDS encryption to increase the data protection of your applications deployed in the cloud and to fulfill compliance requirements for encryption at rest.


Default Value : 

By default, Amazon RDS Snapshots are encrypted.


Pre-Requisites:

1.Sign in as admin or IAM user with required permissions


Remediation:

Test Plan:

  1. Sign in to AWS Management Console.

  2. Go to Amazon RDS dashboard at https://console.aws.amazon.com/rds/

  3. Click Snapshots, in the left navigation panel

  4. Choose a snapshot you want to examine

  5. Choose the RDS snapshot that you want to examine and check the configuration value available in the Encrypted column.

  6.  If the Encrypted configuration value is set to No, the selected Amazon RDS database snapshot is not encrypted at rest.


Using AWS CLI:

This command describe RDS instance 

aws rds describe-db-instances
  --region us-east-1
  --db-instance-identifier prod-mysql-db
  --query 'DBInstances[*].StorageEncrypted'


Implementation Steps: 

Step- 1

  1. Sign in to AWS Management Console.
  2. Go to Amazon RDS dashboard at https://console.aws.amazon.com/rds/
  3. Click Snapshots, in the left navigation panel
  4. Select the unencrypted RDS snapshot that you want to encrypt 
  5. Click on Actions and select copy snapshot
  6. On the Copy Snapshot page, perform the following commands:
  7. From the Destination Region dropdown list, select the region where you want to write the copy of the selected snapshot and in the New DB Snapshot Identifier box, type a unique name
  8. (Optional) In the Target Option Group dropdown list, select an option group to associate with your target database snapshot.
  9. (Optional) Check the Copy Tags checkbox if you want your new snapshot to have the same tags as the source snapshot. 
  10. Under the Encryption section, Check Enable encryption checkbox to enable encryption at rest for the new RDS snapshot. Select (default) aws/rds from the Master Key dropdown list to use the default master key (also known as AWS Managed Key). 
  11. Click Copy Snapshot

Step -2

  1.  Now you need to delete the source (unencrypted) snapshot. To remove the required RDS snapshot from your AWS account, perform the following actions:
  2. Select the source AWS RDS snapshot that you want to delete. 
  3. Click the Actions and select Delete Snapshot
  4. In the Delete Snapshot dialog box, click on Delete

Using AWS CLI:  

  1. The following command example creates a snapshot named prod-mysql-db-snapshot from an RDS instance named prod-mysql-db: 
    aws rds create-db-snapshot
      --region us-east-1
      --db-snapshot-identifier prod-mysql-db-snapshot
      --db-instance-identifier prod-mysql-db
  2. Now run list-aliases command (OSX/Linux/UNIX) to list the KMS keys aliases (names) available in specified region:
    aws kms list-aliases
      --region us-east-1
  3. Run copy-db-snapshot command (OSX/Linux/UNIX) using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot: 
    aws rds copy-db-snapshot
      --region us-east-1
      --source-db-snapshot-identifier prod-mysql-db-snapshot
      --target-db-snapshot-identifier prod-mysql-db-snapshot-encrypted
      --copy-tags
      --kms-key-id 8d8d4bg8-db2a-4268f-b52e-3dbab05ce9a5

  4. Run restore-db-instance-from-db-snapshot command (OSX/Linux/UNIX) to restore the encrypted snapshot created at the previous step to a new database instance:  
    aws rds restore-db-instance-from-db-snapshot
      --region us-east-1
      --db-instance-identifier prod-mysql-db-encrypted
      --db-snapshot-identifier prod-mysql-db-snapshot-encrypted

Backout Plan: 

Once the snapshot is encrypted you can’t change or modify the RDS snapshot.

 

Reference:

Encrypting Amazon RDS resources - Amazon Relational Database Service 

Copying a snapshot - Amazon Relational Database Service 

Sharing a DB snapshot - Amazon Relational Database Service