Profile Applicability

  • Level 1

Description:

Encryption-at-rest for Amazon RDS instances ensures that all data stored within the database, including backups, snapshots, and automated backups, is encrypted. This helps secure sensitive information from unauthorized access, meeting compliance and security standards that require data encryption. Enabling encryption-at-rest for RDS instances protects the data even if the underlying storage or backup is compromised.

By enabling encryption-at-rest for RDS instances, organizations can prevent unauthorized access to stored data, ensure compliance with data protection laws, and enhance the overall security of their cloud environment.

Rationale:

Enabling encryption-at-rest for RDS instances provides the following benefits:

  • Data protection: Encrypts sensitive data stored in RDS, ensuring that it cannot be accessed without proper decryption keys.

  • Compliance: Meets regulatory requirements for data protection such as HIPAA, PCI-DSS, GDPR, and SOC 2, which mandate encryption of data at rest.

  • Security best practices: Ensures that data remains encrypted even during storage, backup, and snapshot operations, minimizing the risk of data breaches.

Without encryption-at-rest, sensitive information in RDS instances could be exposed to unauthorized access if storage or backup data is compromised.

Impact:

Failure to enable encryption-at-rest for RDS instances can result in:

  • Exposure of sensitive data to unauthorized access.

  • Non-compliance with data protection regulations.

  • Increased risk of data breaches, especially if backup data is stored unencrypted.

Enabling encryption ensures that all data in RDS instances is protected, improving the overall security and compliance posture of the environment.

Default Value:

By default, encryption is not enabled for existing RDS instances, and it must be configured explicitly during the creation of the RDS instance. If encryption is not enabled at the time of creation, it cannot be enabled for existing RDS instances without creating a new encrypted instance and migrating the data.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

    • rds:CreateDBInstance

  • The RDS instance must be created or available for encryption configuration

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the RDS Console.

  2. Select the RDS instance to check if encryption is enabled.

  3. Under the Connectivity & Security section, ensure that Encryption is set to Enabled. If encryption is enabled, it will show the encryption key used.

Using AWS CLI:

aws rds describe-db-instances --query "DBInstances[?StorageEncrypted==`true`].{DBInstanceIdentifier:DBInstanceIdentifier, StorageEncrypted:StorageEncrypted}" --output table
Implementation Plan:

Using AWS Console:

  1. Enable encryption-at-rest for RDS instances during creation:

    • Go to the RDS Console.

    • When creating a new RDS instance, under the Settings section, ensure that Encryption is enabled and a KMS key is specified.

  2. Verify encryption status:

    • After creation, confirm that encryption is enabled in the Connectivity & Security section of the RDS instance settings.

Using AWS CLI:

  1. Enable encryption-at-rest for a new RDS instance:

aws rds create-db-instance --db-instance-identifier <db-instance-id> --allocated-storage 20 --db-instance-class db.t3.micro --engine mysql --master-username admin --master-user-password <password> --kms-key-id <kms-key-id> --storage-encrypted --apply-immediately

  1. Verify encryption status for an existing RDS instance:

aws rds describe-db-instances --query "DBInstances[?StorageEncrypted==`true`].{DBInstanceIdentifier:DBInstanceIdentifier, StorageEncrypted:StorageEncrypted}" --output table


Backout Plan:

Using AWS Console:

  1. If enabling encryption-at-rest causes application issues or overhead:

    • Go to the RDS Console.

    • If encryption was not enabled during instance creation, the only backout option is to create a new RDS instance with encryption enabled and migrate the data.

  2. Modify KMS key policies if there are permission or accessibility issues related to the KMS key used for encryption.

Using AWS CLI:

  1. Temporarily disable encryption:

    • Encryption-at-rest cannot be disabled for an existing RDS instance once it has been enabled. The only option is to create a new instance with encryption enabled and migrate data.

  2. Stop RDS instance modifications if data access issues occur:

aws rds stop-db-instance --db-instance-identifier <db-instance-id>

  1. Re-enable encryption by creating a new RDS instance:

aws rds create-db-instance --db-instance-identifier <db-instance-id> --allocated-storage 20 --db-instance-class db.t3.micro --engine mysql --master-username admin --master-user-password <password> --kms-key-id <kms-key-id> --storage-encrypted --apply-immediately

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services