iCompaas Support

Profile Applicability:

• Level 1

Description:

This control ensures that all Amazon RDS (Relational Database Service) snapshots and Amazon Aurora cluster snapshots are encrypted using AWS Key Management Service (KMS) or the default AWS encryption keys. Encryption ensures that the data within RDS snapshots and cluster snapshots is securely stored, preventing unauthorized access to sensitive information when backed up or restored. 

Rationale:

RDS snapshots and Aurora cluster snapshots often contain sensitive database content, including application data, credentials, or PII (Personally Identifiable Information). If snapshots are not encrypted, they are exposed to potential unauthorized access if they are copied, restored, or exported. Enforcing encryption ensures that data remains secure, aligned with industry best practices, and compliant with regulatory frameworks such as CIS, SOC 2, ISO 27001, and HIPAA. 

Impact:

• Positive Impact: Ensures the security and confidentiality of backup data by enforcing encryption for all RDS and Aurora snapshots.

• Negative Impact: Might slightly increase operational overhead when managing KMS keys or when restoring encrypted snapshots. 

Default Value:

By default, RDS snapshots are not encrypted unless the RDS instance or Aurora cluster is created with encryption enabled. Existing unencrypted snapshots will not be automatically encrypted. 

Pre-Requisite:

• IAM permissions required: rds:DescribeDBSnapshots, rds:ModifyDBSnapshot, rds:CreateDBSnapshot, rds:DescribeDBClusterSnapshots.
• AWS KMS should be enabled for encryption key management.

Remediation:

Test Plan 

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to RDS → Snapshots for RDS or Aurora → Snapshots for Aurora clusters.

3. Select a snapshot and check the Encryption column.

4. If the snapshot is not encrypted, it is non-compliant.

5. Repeat this process for both automated snapshots and manual snapshots.

Implementation Plan 

Using AWS Console:

1. Navigate to RDS → Snapshots or Aurora → Snapshots.

2. Identify any unencrypted snapshots.

3. For RDS snapshots:

   • If the source RDS instance is not encrypted, create a new encrypted instance and migrate data to it.

   • Create new snapshots for the encrypted instance.

4. For Aurora cluster snapshots:

   • If the source Aurora cluster is not encrypted, create a new encrypted cluster and migrate data to it.

   • Create new encrypted snapshots for the cluster.

5. Once the snapshots are encrypted, verify that the new snapshots are listed as encrypted under the Encryption column.

6. To ensure that all future snapshots are encrypted, enable RDS encryption when creating new instances or clusters, and ensure that encryption is specified during snapshot creation.

Backout Plan:

Using AWS Console:

1. If encryption causes application disruptions, temporarily revert to using unencrypted snapshots for immediate backup.
2. Reassess the encryption configurations and plan a secure migration strategy to encrypted instances or clusters.

References:

• Amazon RDS Encryption
• Amazon Aurora Encryption
• AWS KMS Documentation
• AWS Security Best Practices Whitepaper