iCompaas Support

Profile Applicability:
 Level 1

Description:
 This check ensures that data is protected both while stored in the database (data at rest) and while transmitted over the network (data in transit). In AWS, encryption of data at rest is enabled through AWS-managed keys or custom KMS keys, while encryption of data in transit is ensured using SSL/TLS protocols for communication between clients and database instances.

Rationale:
 Encrypting both data at rest and in transit ensures that sensitive data remains protected from unauthorized access, both when it is stored on disk and during transmission. This is critical for meeting security and privacy requirements such as GDPR, HIPAA, and SOC 2, as well as preventing data breaches and unauthorized access.

Impact:
 Without proper encryption, data could be exposed to unauthorized parties during storage or transmission, leading to potential data breaches or attacks. Encryption prevents eavesdropping and unauthorized access, thereby reducing the risk of data loss or theft.

Default Value:
 By default, Amazon Aurora does not encrypt data in transit unless SSL/TLS is enabled. Data at rest is encrypted only if explicitly enabled at the time of database creation, using AWS KMS keys.

Pre-requisites:

• An AWS account with administrative privileges.
  
  

• Amazon Aurora instances created.
  
  

• Basic knowledge of encryption in AWS, including the use of KMS for data at rest and SSL/TLS for data in transit.
  
  

Test Plan:

Using AWS Console:

1. Navigate to RDS > Databases and select your Aurora instance.
   
   

2. Under Connectivity & Security, verify that Encryption is enabled for data at rest.
   
   

3. Ensure SSL/TLS is enabled for data in transit under the Modify section and confirm the correct SSL certificate is in use.
   
   

4. In CloudWatch Logs, ensure that logs are being forwarded securely and are encrypted.
   
   

Using AWS CLI:

1. Run the following command to check if data at rest is encrypted:
    

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, StorageEncrypted:StorageEncrypted}"

   
   
   

2. Check the SSL/TLS status:
    
   

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, SSLCertificateIdentifier:SSLCertificateIdentifier}"

3. Verify if the appropriate KMS key is used for data at rest:
    
   

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, KmsKeyId:KmsKeyId}"

Implementation Plan

Using AWS Console:

1. In the RDS Console, go to Databases, select the Aurora instance, and click Modify.
   
   

2. Under Encryption, select Enable Encryption and choose a KMS key (either the default AWS-managed key or a custom key).
   
   

3. Under Connectivity & Security, enable SSL/TLS for the instance and choose the appropriate SSL certificate for encryption.
   
   

4. Apply the changes to enable encryption for both data at rest and in transit.
   
   

Using AWS CLI:

1. To enable encryption for data at rest during instance creation, run the following command:
   

    aws rds create-db-instance --db-instance-identifier <db-instance-id> --db-instance-class <db-instance-class> --engine aurora --storage-encrypted --kms-key-id <kms-key-id> --apply-immediately

   
   
   

2. Enable SSL/TLS for data in transit:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --ca-certificate-identifier rds-ca-2019 --apply-immediately

   
   
   

3. Update your application connection string to use SSL/TLS for communication with the Aurora instance.
   
   

Backout Plan

Using AWS Console:

1. In RDS > Databases, select the Aurora instance, click Modify, and uncheck Enable Encryption to disable data encryption at rest.
   
   

2. In Connectivity & Security, disable SSL/TLS.
   
   

3. Apply the changes, keeping in mind that disabling encryption requires migrating data to a new unencrypted instance.
   
   

Using AWS CLI:

1. Disable data encryption at rest:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --no-storage-encrypted --apply-immediately

   
   

2. Disable SSL/TLS for data in transit:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --no-enable-iam-database-authentication --apply-immediately

   
   
   

3. Modify the application to stop using SSL/TLS for connections.
   
   

References:

• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
  
  

• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
  
  

• https://aws.amazon.com/kms/