iCompaas Support

Profile Applicability:

• Level 1

Description:
 Encryption at rest ensures that data stored in AWS-managed database services is protected using cryptographic keys. It prevents unauthorized access to data on underlying storage, even if physical disks are compromised.

Rationale:
 Data at rest encryption provides strong protection for stored data and helps meet regulatory, compliance, and internal security requirements. It ensures that sensitive information is safeguarded from unauthorized access.

Impact:
 Pros:

• Secures data on disk using encryption keys
  

• Helps meet compliance requirements (e.g., SOC 2, HIPAA, ISO 27001)
  

• Compatible with AWS-managed and customer-managed KMS keys
  

Cons:

• Cannot enable encryption on an existing unencrypted database; must recreate or restore from an encrypted snapshot
  

• Adds key management overhead if using customer-managed keys
  

Default Value:
 Encryption is not enabled by default for some database services. Others, like DynamoDB, may enable it automatically.

Pre-requisites:

• AWS KMS key (AWS-managed or customer-managed)
  

• IAM permissions to create or manage encrypted resources
  

• Existing unencrypted resources must be recreated to apply encryption
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to the target database service (e.g., RDS, DocumentDB, DynamoDB)
   

3. Select the database instance or cluster
   

4. Under the Configuration section, verify whether encryption is enabled
   

5. Ensure a valid KMS key is in use
   

Using AWS CLI:

1. Describe the database instance and check encryption:
   

   aws rds describe-db-instances --db-instance-identifier <your-db-instance-id> --query "DBInstances[*].StorageEncrypted"

   
   

2. (Optional) Verify the KMS key used:
    

   aws rds describe-db-instances --db-instance-identifier <your-db-instance-id> --query "DBInstances[*].KmsKeyId"

   
   

Implementation Plan

Using AWS Console:

1. Navigate to the AWS Console
   

2. Go to Amazon RDS > Snapshots, and create a snapshot of the unencrypted DB
   

3. In Snapshots, choose the snapshot and select Copy snapshot
   

4. Enable Encryption and choose a KMS key
   

5. Create a new DB instance from the encrypted snapshot
   

6. Update applications to use the new encrypted instance
   

Using AWS CLI:

1. Create a snapshot of the unencrypted DB:
   

    aws rds create-db-snapshot --db-instance-identifier <db-instance-id> --db-snapshot-identifier unencrypted-snap

   
   

2. Copy snapshot with encryption:

   aws rds copy-db-snapshot --source-db-snapshot-identifier unencrypted-snap --target-db-snapshot-identifier encrypted-snap --kms-key-id <your-kms-key-id> --source-region <region>

   
   

3. Restore encrypted snapshot to a new DB instance:

   aws rds restore-db-instance-from-db-snapshot --db-instance-identifier encrypted-db --db-snapshot-identifier encrypted-snap

   
   

Backout Plan

Using AWS Console:

1. Navigate to Amazon RDS > Databases
   

2. Delete the encrypted DB instance
   

3. Recreate the original unencrypted DB from a previous unencrypted snapshot (if available)
   

Using AWS CLI:

1. Delete the encrypted DB instance:
   

    aws rds delete-db-instance --db-instance-identifier encrypted-db --skip-final-snapshot

   
   

2. Restore from unencrypted snapshot:
   

    aws rds restore-db-instance-from-db-snapshot --db-instance-identifier original-db --db-snapshot-identifier unencrypted-snap

   
   

References:

• AWS Key Management Service

• AmazonRDS