Rule: RDS DB Instance Encryption at Rest Enabled
Check if RDS DB instance encryption at rest is enabled to ensure data security.
| Rule | RDS DB instance encryption at rest should be enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Low |
RDS DB Instance Encryption at Rest Rule Description
This rule enforces the requirement to enable encryption at rest for RDS (Relational Database Service) DB instances, specifically for compliance with CISA (Cybersecurity and Infrastructure Security Agency) Cyber Essentials framework.
Enabling encryption at rest provides an added layer of security by encrypting the data stored on the RDS DB instance's underlying storage volume. This ensures that data remains protected, even if the physical storage media is compromised.
Troubleshooting Steps (if applicable)
If encryption at rest is not enabled for RDS DB instances, follow these troubleshooting steps:
- 1.
Verify Encryption Status: Check the encryption status of the RDS DB instance. This can be done by accessing the AWS Management Console, navigating to the RDS service, and selecting the target DB instance. In the "Configuration" tab, verify if the "Encryption" setting is enabled.
- 2.
Verify Encryption Key: Check if a valid encryption key is attached to the RDS DB instance. If no key is attached, create a new key or select an existing key from the AWS Key Management Service (KMS).
- 3.
Check IAM Permissions: Ensure that the IAM (Identity and Access Management) user/role associated with the DB instance has the necessary permissions to access and use the encryption key. Verify that the IAM policy includes the required permissions for key usage.
- 4.
Restarting the DB Instance: In some cases, enabling encryption at rest may require the DB instance to be restarted. Make sure to plan the restart during a maintenance window or a suitable time for minimal disruption.
Necessary Codes (if applicable)
If encryption at rest is not enabled, you may need to execute the following code:
aws rds modify-db-instance --db-instance-identifier [DB_INSTANCE_IDENTIFIER] --storage-encrypted --apply-immediately
Replace
[DB_INSTANCE_IDENTIFIER]Step-by-Step Guide for Remediation
To enable encryption at rest for an RDS DB instance, follow these step-by-step instructions:
- 1.
Access the AWS Management Console: Open any web browser, navigate to the AWS Management Console (https://console.aws.amazon.com/), and sign in to your AWS account.
- 2.
Go to RDS Service: Click on the "Services" dropdown and select "RDS" from the list of available services.
- 3.
Choose the Target DB Instance: In the RDS dashboard, click on the DB instance that needs encryption at rest enabled. Make sure you have the necessary permissions to perform configuration changes.
- 4.
Navigate to "Configuration": Select the "Configuration" tab in the details section of the DB instance.
- 5.
Verify Encryption Status: Scroll down to the "Encryption" section to check the current encryption status. If encryption is already enabled, there is no further action required. If not, proceed to the next step.
- 6.
Modify DB Instance: Click on the "Modify" button at the top of the page to modify the DB instance's configuration.
- 7.
Enable Encryption at Rest: In the "Storage" section, enable the "Enable Encryption" checkbox. If you have an existing encryption key, select it from the drop-down menu. Otherwise, create a new key or use the default AWS-managed key.
- 8.
Apply Changes: Scroll down to the bottom of the page and click on the "Continue" button to proceed with the modification.
- 9.
Review and Apply Changes: On the next page, review the changes summary to ensure that encryption at rest is enabled. If everything looks correct, click on the "Modify DB Instance" button to apply the changes.
- 10.
Monitor the Update: Wait for the modification process to complete. Depending on the DB instance size, it may take a few minutes to finish.
- 11.
Verify Encryption Enabled: Once the modification is completed successfully, revisit the DB instance configuration tab and verify that the encryption at rest status is now enabled.
By following these steps, you can enable encryption at rest for an RDS DB instance, ensuring compliance with CISA Cyber Essentials guidelines.