iCompaas Support

 Profile Applicability:
 Level 1

Description:
 Encryption at rest protects data stored in Amazon Aurora databases by ensuring that the database files are encrypted when they are saved to disk. This encryption applies to both data and backups and ensures that unauthorized users or services cannot access the sensitive information stored in the database.

Rationale:
 Encryption at rest is a crucial security measure for protecting sensitive data from unauthorized access. It ensures that data is protected even if the underlying storage is compromised, helping organizations meet compliance requirements like HIPAA, PCI-DSS, and GDPR. Encryption at rest ensures that stored data, including backups, remains confidential and secure.

Impact:
 Without encryption at rest, data stored in the database could be exposed if the underlying storage is compromised, resulting in potential data breaches or loss of sensitive information. Enabling encryption ensures that data is protected and encrypted both during storage and in transit.

Default Value:
 By default, Amazon Aurora supports encryption at rest using AWS Key Management Service (KMS) for encryption. However, this feature must be enabled during the creation of the database instance. Encryption cannot be enabled on an existing database instance, but a new encrypted instance can be created and data can be migrated.

Pre-requisites:

• An AWS account with the appropriate administrative privileges to configure Aurora database encryption.
  

• An AWS Key Management Service (KMS) key created for use with Aurora.
  

• The Aurora instance must be created with encryption enabled, or data migration to a new encrypted instance may be required.
  

Remediation

Test Plan:

Using AWS Console:

1. Navigate to RDS > Databases, and select your Aurora instance.
   

2. In the Configuration section, verify that Encryption at Rest is enabled for the database instance.
   

3. Check the KMS Key ID associated with the Aurora instance to ensure that it is properly configured.
   

4. Ensure that automatic backups are also encrypted and that snapshots of the database are encrypted.
   

5. Review CloudWatch Logs and ensure that any exported logs or backups are also encrypted.
   

Using AWS CLI:

1. Run the following command to check if Encryption at Rest is enabled for the Aurora instance:
   

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, StorageEncrypted:StorageEncrypted, KmsKeyId:KmsKeyId}"

2. Verify that automatic backups are encrypted:
   

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, BackupRetentionPeriod:BackupRetentionPeriod}"

3. Check that snapshots are encrypted:
   

   aws rds describe-db-snapshots --db-instance-identifier <db-instance-id> --query "DBSnapshots[].{DBSnapshotIdentifier:DBSnapshotIdentifier, Encrypted:Encrypted}"

Implementation Plan

Using AWS Console:

1. Navigate to RDS > Databases, select the Aurora instance, and click Modify.
   

2. Under the Storage section, enable Encryption at Rest.
   

3. Choose an appropriate KMS Key for the encryption process.
   

4. Enable encrypted backups and ensure that automatic backups are configured.
   

5. Apply the changes to the Aurora instance to enable encryption at rest.
   

Using AWS CLI:

1. Enable Encryption at Rest by creating a new Aurora instance with encryption enabled:
   

   aws rds create-db-instance --db-instance-identifier <db-instance-id> --db-instance-class <db-instance-class> --engine aurora --storage-encrypted --kms-key-id <kms-key-id> --apply-immediately

2. Verify automatic backup encryption:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --backup-retention-period <retention-period> --storage-encrypted --kms-key-id <kms-key-id> --apply-immediately

3. Check the snapshots encryption status:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --storage-encrypted --kms-key-id <kms-key-id> --apply-immediately

Backout Plan

Using AWS Console:

1. Navigate to RDS > Databases, select the Aurora instance, and click Modify.
   

2. Disable Encryption at Rest by disabling the Storage Encrypted setting.
   

3. If the database is encrypted, create a new database instance without encryption, and migrate the data.
   

4. Apply the changes to revert the encryption configuration.
   

Using AWS CLI:

1. Disable Encryption at Rest (new Aurora instance must be created as encryption cannot be disabled on an existing instance):
   

   aws rds create-db-instance --db-instance-identifier <new-db-instance-id> --db-instance-class <db-instance-class> --engine aurora --storage-encrypted false --apply-immediately

2. If automatic backups need to be reverted, modify the instance to disable encryption:
   

   aws rds modify-db-instance --db-instance-identifier <db-instance-id> --storage-encrypted false --apply-immediately

3. Remove encryption from snapshots:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --storage-encrypted false --kms-key-id <kms-key-id> --apply-immediately

References:

• Amazon RDS
  

• Amazon KMS