iCompaas Support

Profile Applicability 

• Level 1
  

Description

Ensure that all data exchanged between database services, clients, and internal systems is encrypted during transit using protocols such as SSL/TLS. This ensures the confidentiality and integrity of the data as it travels over the network.

Rationale

Encrypting data in transit helps prevent unauthorized access and tampering during data transmission. This is critical for preventing man-in-the-middle attacks, eavesdropping, and ensuring sensitive data is secure while being transmitted across networks.

Impact

Pros:

• Secures data during transmission.
  
  

• Helps comply with regulatory standards (e.g., HIPAA, GDPR).
  
  

• Ensures confidentiality and integrity of data exchanged.
  
  

Cons:

• Slight performance impact due to encryption/decryption operations.
  
  

• Requires appropriate configuration on both client and server sides to work effectively.
  
  

Default Value

Encryption in transit is not enabled by default for all AWS database services. It needs to be configured during setup or after deployment.

Pre-Requisites

• AWS Key Management Service (KMS) for managing encryption keys.
  
  

• IAM permissions to configure security settings and enable encryption protocols.
  
  

Remediation

Test Plan

Using AWS Console

1. Sign in to the AWS Management Console.
   
   

2. Open the relevant database service (e.g., RDS, DynamoDB, etc.).
   
   

3. Select the database instance or cluster.
   
   

4. Navigate to the Connectivity & Security tab.
   
   

5. Ensure Encryption in Transit (e.g., SSL/TLS) is enabled and configured.
   
   

6. Verify that the database endpoint supports SSL connections.
   
   

Using AWS CLI

Verify SSL support for an RDS instance:

aws rds describe-db-instances --db-instance-identifier <db-instance-id> --query "DBInstances[*].Endpoint"  

Verify TLS encryption:

aws rds describe-db-clusters --db-cluster-identifier <db-cluster-id> --query "DBClusters[*].Endpoint"

Implementation Plan

Using AWS Console

1. Sign in to the AWS Management Console.
   
   

2. Navigate to RDS > Databases or DynamoDB > Tables.
   
   

3. Select the database and click Modify.
   
   

4. In the Encryption section, enable SSL or TLS.
   
   

5. Set the SSL certificate if using a customer-managed certificate.
   
   

6. Save changes and apply immediately or schedule for the next maintenance window.
   
   

Using AWS CLI

Modify the RDS instance to enable SSL encryption:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --tls-enabled true --apply-immediately

For RDS:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --ssl-ca-certificate-identifier <certificate-arn>

1. For DynamoDB or other services, ensure encryption in transit settings are explicitly set in their respective configurations.
   
   

Backout Plan

Using AWS Console

1. Sign in to AWS Management Console.
   
   

2. Open the relevant database service and select the instance or cluster.
   
   

3. Navigate to Modify and disable SSL/TLS encryption.
   
   

4. Apply changes and test to ensure functionality is reverted.
   
   

Using AWS CLI

Disable encryption for the database:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --tls-enabled false --apply-immediately

References

• AWS RDS SSL Encryption
  
  

• AWS DynamoDB Encryption
  
  

CIS Controls Mapping