iCompaas Support

 Profile Applicability:

• Level 1

Description:
 Encryption at rest and in transit is a fundamental security measure to ensure that sensitive data is protected while stored and during transmission. Enabling encryption ensures that unauthorized users cannot access data, even if they gain access to the physical storage or intercept data in transit.

Rationale:
 By enabling encryption at rest, the database’s physical files are protected, preventing unauthorized access even if storage is compromised. Encryption in transit ensures that data transferred between users and the database, or between databases, cannot be read or tampered with while in motion.

Impact:
 If encryption is not enabled, sensitive data could be exposed during storage or transmission, leading to security breaches or data leakage. Configuring encryption reduces the risk of unauthorized access and is a requirement for many regulatory frameworks such as GDPR, HIPAA, and PCI DSS.

Default Value:
 By default, Amazon Aurora supports encryption at rest for new databases but may not be enabled for existing databases. Encryption in transit is enabled by default when using SSL/TLS with Aurora.

Pre-requisites:

• An AWS account with Aurora database instances.
  

• Understanding of Amazon RDS encryption options and SSL/TLS protocols.
  

• Key management service (KMS) keys for encryption at rest.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to RDS Dashboard and select an Aurora instance.
   

2. Under Configuration, verify that Encryption is enabled for the Aurora instance.
   

3. For encryption in transit, ensure that SSL/TLS is enabled by reviewing the instance's connection settings.
   

4. Verify the database's Encryption Key in KMS and ensure it's securely managed.
   

5. Test a connection using SSL to confirm encryption in transit.
   

Using AWS CLI:

1. Run the following command to check if encryption at rest is enabled:
   

    aws rds describe-db-instances --query "DBInstances[].[DBInstanceIdentifier,StorageEncrypted]"

2. To check SSL configuration for encryption in transit:
   

   aws rds describe-db-instances --query "DBInstances[].{Instance:DBInstanceIdentifier,Endpoint:Endpoint.Address,Port:Endpoint.Port}"

3. Verify the KMS encryption key by running:
   

   aws rds describe-db-instances --query "DBInstances[].[DBInstanceIdentifier,KmsKeyId]"

Implementation Plan

Using AWS Console:

1. In the RDS Console, navigate to the Aurora instance and click Modify.
   

2. For encryption at rest, ensure that Encryption is checked and select a KMS key (or use the default).
   

3. For encryption in transit, enable SSL/TLS under Connectivity & Security.
   

4. Apply changes and restart the database if necessary for encryption at rest to take effect.
   

Using AWS CLI:

1. Enable encryption at rest for a new Aurora instance:
   

    aws rds create-db-instance --db-instance-identifier <db-instance-id> --db-instance-class db.r5.large --engine aurora --allocated-storage 20 --storage-encrypted --kms-key-id <kms-key-id>

2. Modify an existing instance to enable encryption at rest:
   

   aws rds modify-db-instance --db-instance-identifier <db-instance-id> --storage-encrypted --kms-key-id <kms-key-id> --apply-immediately

3. For encryption in transit, ensure the database endpoint uses SSL by modifying the database's connection string to specify ssl=true. Use the following command to check SSL support:
   

    aws rds describe-db-instances --db-instance-identifier <db-instance-id> --query "DBInstances[].Endpoint"

4. Test the SSL connection with the following command:
   

    mysql -h <db-endpoint> -u <username> -p --ssl-ca=<path-to-ca-cert> --ssl-verify-server-cert

Backout Plan

Using AWS Console:

1. If the encryption at rest or in transit is misconfigured, go to RDS Dashboard and modify the database instance to remove the encryption settings.
   

2. For encryption at rest, disable the Encryption setting and re-apply the changes.
   

3. For SSL/TLS, disable SSL under Connectivity & Security in the Aurora instance settings.
   

Using AWS CLI:

1. For encryption at rest, modify the instance to remove encryption:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --storage-encrypted false --apply-immediately

2. For SSL/TLS, modify the connection settings to disable SSL:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --no-enable-ssl --apply-immediately

References:

• AmazonRDS

• Using SSL/TLS to encrypt a connection to a DB instance or cluster