iCompaas Support

Profile Applicability:

• Level 1

Description:
 Ensure that encryption at rest is enabled to protect sensitive data stored in AWS-managed database services. AWS offers encryption using AWS managed keys or customer-managed keys (CMKs) through the AWS Key Management Service (KMS).

Rationale:
 Encryption at rest protects data stored on disk from unauthorized access. Even if physical security is compromised, encrypted data cannot be read without access to the decryption keys.

Impact:
 If an unauthorized user gains access to the storage medium, the data remains unreadable without the corresponding decryption keys, reducing the risk of data breaches.

Default Value:
 Encryption at rest is not enabled by default for all database services. The setting must be explicitly enabled during database creation or by restoring from an encrypted snapshot.

Pre-requisites:
• Access to the AWS Management Console or AWS CLI
• Permissions to create and manage KMS keys
      •    Permissions to create or modify database instances or clusters

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to the respective service console (e.g., Amazon RDS, Neptune, DocumentDB, QLDB)
   

3. Select the instance or cluster
   

4. In the configuration or encryption section, verify if encryption at rest is enabled
   

Using AWS CLI:

1. Run the appropriate describe command for your service (example for RDS):
   

   aws rds describe-db-instances

   
   

2. Check the value of StorageEncrypted and the presence of KmsKeyId
   

Implementation Plan

Using AWS Console:

1. Navigate to the AWS Management Console
   

2. Open the service (e.g., RDS, Neptune, DocumentDB, etc.)
   

3. Select or create a database instance
   

4. In the encryption settings, enable encryption at rest
   

5. Choose either an AWS-managed KMS key or a customer-managed KMS key
   

6. Save or launch the instance
   

Using AWS CLI:

1. Create a new DB instance with encryption:
   

   aws rds create-db-instance --db-instance-identifier mydb --allocated-storage 20 --db-instance-class db.t3.micro --engine mysql --storage-encrypted --kms-key-id <your-kms-key-id>

   
   

2. If modifying an existing instance:
   

   • Create a snapshot
     

   • Copy the snapshot with encryption enabled:

     aws rds copy-db-snapshot --source-db-snapshot-identifier mydb-snapshot --target-db-snapshot-identifier mydb-snapshot-encrypted --kms-key-id <your-kms-key-id>

     
     

   • Restore a new DB instance from the encrypted snapshot
     

Backout Plan

Using AWS Console:

1. If using a new encrypted instance, delete it and re-create the original non-encrypted instance using unencrypted snapshots
   

2. Remove associated KMS keys if no longer required
   

Using AWS CLI:

1. Delete the encrypted instance:
   

    aws rds delete-db-instance --db-instance-identifier encrypted-db

   
   

2. Restore from the original unencrypted snapshot:
   

   aws rds restore-db-instance-from-db-snapshot --db-instance-identifier original-db --db-snapshot-identifier unencrypted-snapshot

   
   

References:
 • AWS Cloud Databases
 • CIS AWS Database Services Benchmark v1.0.0