Products

Solutions

Company

Book A Live Demo

Rule: RDS DB Snapshots Should Be Encrypted at Rest

This rule ensures that RDS DB snapshots are encrypted at rest for enhanced security measures.

Rule	RDS DB snapshots should be encrypted at rest
Framework	AWS Audit Manager Control Tower Guardrails
Severity	✔ Medium

RDS DB Snapshots Encryption at Rest for AWS Audit Manager Control Tower Guardrails

AWS Audit Manager simplifies the process of assessing your AWS environment against certain compliance standards and industry best practices. Control Tower Guardrails are high-level rules that provide ongoing governance for your AWS environment. One of the security best practices and a frequently required compliance control is ensuring that your Amazon RDS (Relational Database Service) DB snapshots are encrypted at rest.

Importance of Encrypting RDS DB Snapshots

Encrypting RDS DB snapshots at rest adds an additional layer of security by protecting your data from unauthorized access if the underlying storage is compromised. AWS uses the industry-standard AES-256 encryption algorithm to encrypt RDS snapshots.

Identifying Unencrypted RDS DB Snapshots

Step 1: List all RDS snapshots

You can check the encryption status of all RDS DB snapshots by using the AWS Management Console or AWS CLI.

To list snapshots in the AWS Management Console:

1.
Open the Amazon RDS console.

2.
In the navigation pane, click on "Snapshots".

3.
Look for the "Encryption" column in the snapshots list, which indicates if the snapshot is encrypted.

To list snapshots using AWS CLI:

Run the following command to list all snapshots and their encryption status:

aws rds describe-db-snapshots --query 'DBSnapshots[*].[DBSnapshotIdentifier,Encrypted]' --output table

Step 2: Identify unencrypted snapshots

From the list, identify any snapshots that have encryption set to

false

Encrypting Unencrypted RDS DB Snapshots

If you find any RDS DB snapshots that are not encrypted, you must create a new encrypted snapshot.

Step 1: Copy the unencrypted snapshot to a new encrypted snapshot

Use the following AWS CLI command to copy an unencrypted RDS snapshot to a new encrypted snapshot:

aws rds copy-db-snapshot \
    --source-db-snapshot-identifier my-unencrypted-snapshot \
    --target-db-snapshot-identifier my-encrypted-snapshot \
    --kms-key-id arn:aws:kms:REGION:ACCOUNT-ID:key/KMS-KEY-ID \
    --region YOUR-REGION

Replace

my-unencrypted-snapshot

with the identifier of your unencrypted snapshot,

my-encrypted-snapshot

with the target snapshot identifier,

REGION

with your relevant AWS region,

ACCOUNT-ID

with your account ID, and

KMS-KEY-ID

with the ID of your KMS key.

Step 2: Verify the encryption status

After copying the snapshot, verify that the new snapshot is encrypted:

aws rds describe-db-snapshots --db-snapshot-identifier my-encrypted-snapshot --query 'DBSnapshots[*].[DBSnapshotIdentifier,Encrypted]'

Setting up Future Snapshots to be Encrypted by Default

To ensure that all future snapshots are encrypted, you can either:

Enable encryption on the RDS instance itself so that all subsequent snapshots inherit the encryption.
Use the AWS RDS API or CLI to create encrypted snapshots directly.

Enable encryption on an RDS instance

When creating a new DB instance, you can enable encryption by setting the

--storage-encrypted

option to

true

and specifying the KMS key:

aws rds create-db-instance \
  --db-instance-identifier mydbinstance \
  --storage-encrypted \
  --kms-key-id arn:aws:kms:REGION:ACCOUNT-ID:key/KMS-KEY-ID \
  ...

Create encrypted snapshots directly

When manually creating snapshots, ensure to specify the KMS key to encrypt the snapshot:

aws rds create-db-snapshot \
  --db-snapshot-identifier my-new-encrypted-snapshot \
  --db-instance-identifier mydbinstance \
  --region YOUR-REGION \
  --kms-key-id arn:aws:kms:REGION:ACCOUNT-ID:key/KMS-KEY-ID

Automating Compliance with AWS Config

To automate the process of ensuring that all RDS DB snapshots are encrypted, you can use AWS Config to monitor and enforce the rule.

Creating an AWS Config rule to enforce encryption:

aws configservice put-config-rule \
  --config-rule '{
      "ConfigRuleName": "encrypted-rds-snapshots",
      "Scope": {
          "ComplianceResourceTypes": ["AWS::RDS::DBSnapshot"]
      },
      "Source": {
          "Owner": "AWS",
          "SourceIdentifier": "RDS_SNAPSHOTS_ENCRYPTED"
      },
      "InputParameters": "{\"kmsKeyId\":\"arn:aws:kms:REGION:ACCOUNT-ID:key/KMS-KEY-ID\"}"
  }'

Replace

RDS_SNAPSHOTS_ENCRYPTED

with the appropriate AWS Config managed rule that checks whether RDS snapshots are encrypted.

By following the steps outlined above, you can ensure that your AWS environment is compliant with security best practices and potential regulatory requirements for encrypted RDS DB snapshots. This not only fortifies your data protection efforts but also aligns with AWS Audit Manager Control Tower Guardrails, supporting your overall compliance posture.

Rule: RDS DB Snapshots Should Be Encrypted at Rest

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Importance of Encrypting RDS DB Snapshots

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Identifying Unencrypted RDS DB Snapshots

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 1: List all RDS snapshots

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 2: Identify unencrypted snapshots

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Encrypting Unencrypted RDS DB Snapshots

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 1: Copy the unencrypted snapshot to a new encrypted snapshot

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 2: Verify the encryption status

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Setting up Future Snapshots to be Encrypted by Default

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Enable encryption on an RDS instance

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Create encrypted snapshots directly

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Automating Compliance with AWS Config

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Creating an AWS Config rule to enforce encryption:

Is your System Free of Underlying Vulnerabilities? Find Out Now