Profile Applicability:

  • Level 1

Description:

Amazon RDS provides the option to enable encryption at rest for RDS instances and clusters. Enabling storage encryption ensures that all data stored in RDS is automatically encrypted, including backups, snapshots, and replicas. This is critical for ensuring the confidentiality and integrity of sensitive data. This SOP ensures that RDS clusters have storage encryption enabled to meet security and compliance requirements.

Rationale:

  • Security: Encryption at rest ensures that sensitive data is protected from unauthorized access, even if an attacker gains access to the underlying storage.

  • Compliance: For compliance with standards such as HIPAA, PCI-DSS, and SOC 2, enabling encryption is often a requirement to protect sensitive data.

  • Data Integrity: By encrypting data at rest, you help prevent data breaches and protect the integrity of your database.

Impact:

Pros:

  • Enhanced Security: Protects data from unauthorized access and tampering by ensuring encryption at the storage level.

  • Regulatory Compliance: Meets requirements for regulatory standards that mandate data encryption for sensitive information.

  • Improved Data Privacy: Reduces the risks of data exposure, ensuring that only authorized users can access the stored data.

Cons:

  • Performance Overhead: While minimal, enabling encryption may introduce slight overhead due to the encryption/decryption processes.

  • Inflexibility: Once encryption is enabled for an RDS instance or cluster, it cannot be disabled, and data cannot be migrated to unencrypted storage without creating a new instance or cluster.

Default Value:

By default, RDS clusters are not encrypted unless the encryption option is explicitly enabled during creation. Encryption cannot be enabled after the cluster is created, but it can be configured during the setup of the cluster or when creating a new cluster.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:DescribeDBInstances

    • rds:ModifyDBCluster

    • rds:ModifyDBInstance

  • AWS CLI installed and configured.

  • Ensure you have RDS cluster and IAM role permissions to check and modify encryption settings.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases.

  4. Select the RDS cluster you want to check.

  5. In the Configuration tab, under the Storage section, check the Encryption status:

    • If Encryption is enabled, it will show the encryption key used (AWS-managed key or a customer-managed key).

    • If Encryption is disabled, it will show No under Encryption.

  6. If encryption is disabled, you will need to create a new encrypted cluster as encryption cannot be enabled on an existing unencrypted cluster.

Using AWS CLI:

  1. To check if storage encryption is enabled for an RDS cluster, run the following command:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,StorageEncrypted:StorageEncrypted}'

  2. Review the output:

  • If StorageEncrypted is true, the cluster is encrypted.

  • If StorageEncrypted is false, the cluster is not encrypted.

  1. To verify encryption for RDS instances within a cluster, run:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,StorageEncrypted:StorageEncrypted}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the RDS cluster for which you want to check storage encryption.

  3. Verify that Encryption is enabled under the Configuration tab in the Storage section.

  4. If Encryption is not enabled, create a new RDS cluster with encryption enabled. This can be done during the cluster creation process by selecting Enable Encryption and choosing a KMS key for encryption.

Using AWS CLI:

  1. To check if storage encryption is enabled for an RDS cluster, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,StorageEncrypted:StorageEncrypted}'

  2. If StorageEncrypted is false, you will need to create a new encrypted cluster. To create an encrypted cluster, use the following command:

    aws rds create-db-cluster --db-cluster-identifier <cluster-id> --engine <engine> --master-username <username> --master-user-password <password> --storage-encrypted --kms-key-id <kms-key-id> --vpc-security-group-ids <security-group-ids>

  3. Verify the encryption status of the new cluster:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,StorageEncrypted:StorageEncrypted}'

Backout Plan:

Using AWS Console:

  1. If enabling encryption causes issues or migration fails, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the newly created encrypted cluster, and click Delete to remove the cluster.

  3. Restore the previous unencrypted cluster if necessary, and continue using it for operations.

Using AWS CLI:

  1. To delete the new encrypted cluster, run the following command:

    aws rds delete-db-cluster --db-cluster-identifier <NEW_CLUSTER_ID> --skip-final-snapshot

  2. Restore your previous unencrypted cluster by re-initiating it if necessary.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.