Profile Applicability:

Level 1

Description:

Amazon RDS Encryption helps protect sensitive data by encrypting databases, backups, and snapshots using the AES-256 encryption algorithm. Encryption is handled transparently without affecting database performance. Amazon RDS encryption applies to:

  • Database storage

  • Automated backups

  • Read replicas

  • Snapshots

Rationale:

  • Protects confidential data from unauthorized access or data breaches.

  • Encryption at rest prevents attackers from reading stored data even if they gain access to the storage layer.

  • Helps meet compliance requirements such as GDPR, HIPAA, SOC 2, and PCI-DSS.

  • Ensures full data protection across RDS backups, snapshots, and replicas.

Impact:

  • Cannot enable encryption for an existing RDS instance → Must create an encrypted snapshot and restore a new instance.

  • Slight performance impact (minimal, managed by AWS).

  • Cross-region replication restrictions (encrypted snapshots require the same KMS key).

Default Value:

By default:

  • RDS does NOT enable encryption.

  • You must enable encryption when creating the database.

  • Existing RDS instances cannot be encrypted directly → Need a snapshot-based migration.

Pre-Requisites:

  1. IAM permissions to modify RDS instance settings

    • rds:DescribeDBInstances, rds:ModifyDBInstance, rds:CreateDBSnapshot, rds:RestoreDBInstanceFromDBSnapshot, kms:ListAliases

  2. AWS CLI installed (for automation)

  3. List of all RDS instances in the AWS account

Remediation:

Test Plan:

Using AWS Console

Check Encryption Status for an RDS Instance

  1. Log in to the AWS Console → Open Amazon RDS Console: RDS Console

  2. Click Databases

           

  1. Select an RDS instance

           

  1. Click the Configuration tab

       

  1. Under Storage, check Encryption Enabled status:

    • Enabled → Compliant

    • Disabled → Not compliant      

  • Repeat for all RDS instances.

Using AWS CLI

Step 1: List All RDS Instances

aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'

This will list all RDS instances in your AWS account.

Step 2: Check Encryption Status for Each Instance

aws rds describe-db-instances --db-instance-identifier <db-name> --query 'DBInstances[*].StorageEncrypted'

 Expected Output (If encryption is enabled):

[

    true

]

Step 3: Check Encryption for All RDS Instances in a Region

aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,StorageEncrypted]'

This command will list all RDS instances along with their encryption status.

Implementation Steps:

Using AWS Console

Step 1: Create a Snapshot of the Unencrypted Database

  1. Log in to the AWS Console → Open RDS Console

  2. Click Databases → Select the unencrypted RDS instance

  1. Click Actions → Select Take Snapshot

           

  1. Enter a Snapshot Name → Click Take Snapshot

           

Step 2: Copy the Snapshot with Encryption Enabled

  1. Open the RDS Console → Click Snapshots

                 

  1. Select the snapshot you just created

               

  1. Click Actions → Select Copy Snapshot

             

  1. In the New Snapshot Identifier, enter a name

                     

  1. Enable Encryption → Select AWS Default KMS Key (or a custom key)

           

  1. Click Copy Snapshot

                     

Step 3: Restore the Encrypted Snapshot to a New Database

  1. Go to Snapshots → Select the encrypted snapshot

                   

           

  1. Click Actions → Select Restore Snapshot

  2. Enter a new database identifier

           

  1. Click Restore DB Instance              

  • Now, your new RDS instance is encrypted!
  • Update application configurations to point to the new encrypted RDS instance.

Using AWS CLI

Step 1: Take a Snapshot of the Unencrypted Database

aws rds create-db-snapshot --db-instance-identifier <db-name> --db-snapshot-identifier <snapshot-name>

Creates a snapshot of the existing unencrypted RDS instance.

Step 2: Copy the Snapshot with Encryption

aws rds copy-db-snapshot --source-db-snapshot-identifier <snapshot-name> --target-db-snapshot-identifier <encrypted-snapshot-name> --kms-key-id <kms-id> --copy-tags

Copies the snapshot with encryption enabled using a KMS key.

Step 3: Restore the Encrypted Snapshot to a New Database

aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new-db-name> --db-snapshot-identifier <encrypted-snapshot-name>

Restores the encrypted snapshot to a new database instance.

Step 4: Verify That Encryption is Enabled

aws rds describe-db-instances --db-instance-identifier <new-db-name> --query 'DBInstances[*].StorageEncrypted'

Expected Output: [ true ]


Backout Plan:

If issues arise:

  1. Revert to the original unencrypted RDS instance.

  2. Ensure backups exist before making changes.

  3. Rollback application changes to point back to the old database.

References: