Profile Applicability:
Level 1
Description:
Amazon RDS Encryption helps protect sensitive data by encrypting databases, backups, and snapshots using the AES-256 encryption algorithm. Encryption is handled transparently without affecting database performance. Amazon RDS encryption applies to:
Database storage
Automated backups
Read replicas
Snapshots
Rationale:
Protects confidential data from unauthorized access or data breaches.
Encryption at rest prevents attackers from reading stored data even if they gain access to the storage layer.
Helps meet compliance requirements such as GDPR, HIPAA, SOC 2, and PCI-DSS.
Ensures full data protection across RDS backups, snapshots, and replicas.
Impact:
Cannot enable encryption for an existing RDS instance → Must create an encrypted snapshot and restore a new instance.
Slight performance impact (minimal, managed by AWS).
Cross-region replication restrictions (encrypted snapshots require the same KMS key).
Default Value:
By default:
RDS does NOT enable encryption.
You must enable encryption when creating the database.
Existing RDS instances cannot be encrypted directly → Need a snapshot-based migration.
Pre-Requisites:
IAM permissions to modify RDS instance settings
rds:DescribeDBInstances, rds:ModifyDBInstance, rds:CreateDBSnapshot, rds:RestoreDBInstanceFromDBSnapshot, kms:ListAliases
AWS CLI installed (for automation)
List of all RDS instances in the AWS account
Remediation:
Test Plan:
Using AWS Console
Check Encryption Status for an RDS Instance
Log in to the AWS Console → Open Amazon RDS Console: RDS Console
Click Databases
Select an RDS instance
Click the Configuration tab
Under Storage, check Encryption Enabled status:
Enabled → Compliant
Disabled → Not compliant
- Repeat for all RDS instances.
Using AWS CLI
Step 1: List All RDS Instances
aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'
This will list all RDS instances in your AWS account.
Step 2: Check Encryption Status for Each Instance
aws rds describe-db-instances --db-instance-identifier <db-name> --query 'DBInstances[*].StorageEncrypted'
Expected Output (If encryption is enabled):
[
true
]
Step 3: Check Encryption for All RDS Instances in a Region
aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,StorageEncrypted]'
This command will list all RDS instances along with their encryption status.
Implementation Steps:
Using AWS Console
Step 1: Create a Snapshot of the Unencrypted Database
Log in to the AWS Console → Open RDS Console
Click Databases → Select the unencrypted RDS instance
Click Actions → Select Take Snapshot
Enter a Snapshot Name → Click Take Snapshot
Step 2: Copy the Snapshot with Encryption Enabled
Open the RDS Console → Click Snapshots
Select the snapshot you just created
Click Actions → Select Copy Snapshot
In the New Snapshot Identifier, enter a name
Enable Encryption → Select AWS Default KMS Key (or a custom key)
Click Copy Snapshot
Step 3: Restore the Encrypted Snapshot to a New Database
Go to Snapshots → Select the encrypted snapshot
Click Actions → Select Restore Snapshot
Enter a new database identifier
Click Restore DB Instance
- Now, your new RDS instance is encrypted!
- Update application configurations to point to the new encrypted RDS instance.
Using AWS CLI
Step 1: Take a Snapshot of the Unencrypted Database
aws rds create-db-snapshot --db-instance-identifier <db-name> --db-snapshot-identifier <snapshot-name>
Creates a snapshot of the existing unencrypted RDS instance.
Step 2: Copy the Snapshot with Encryption
aws rds copy-db-snapshot --source-db-snapshot-identifier <snapshot-name> --target-db-snapshot-identifier <encrypted-snapshot-name> --kms-key-id <kms-id> --copy-tags
Copies the snapshot with encryption enabled using a KMS key.
Step 3: Restore the Encrypted Snapshot to a New Database
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new-db-name> --db-snapshot-identifier <encrypted-snapshot-name>
Restores the encrypted snapshot to a new database instance.
Step 4: Verify That Encryption is Enabled
aws rds describe-db-instances --db-instance-identifier <new-db-name> --query 'DBInstances[*].StorageEncrypted'
Expected Output: [ true ]
Backout Plan:
If issues arise:
Revert to the original unencrypted RDS instance.
Ensure backups exist before making changes.
Rollback application changes to point back to the old database.