Rule: RDS DB Snapshots Should Be Encrypted at Rest
This rule ensures that RDS DB snapshots are encrypted at rest to maintain data security.
| Rule | RDS DB snapshots should be encrypted at rest |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description
The RDS DB snapshots in your environment must be encrypted at rest to comply with the CISA Cyber Essentials policy. Encrypting DB snapshots adds an additional layer of security to protect sensitive data stored in your Amazon RDS database.
Remediation Steps
To ensure compliance with the rule, follow the steps below:
1. Enable Encryption for RDS Instance
To enable encryption for your RDS instance, you can modify the instance settings using the AWS Management Console, AWS CLI, or AWS SDKs. The following steps explain the process using the AWS Management Console:
- 1.Sign in to the AWS Management Console.
- 2.Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
- 3.Choose the region where your RDS instance is located.
- 4.In the navigation pane, click on "Databases".
- 5.Select the RDS instance for which you want to enable encryption.
- 6.Click on the "Modify" button at the top of the page.
- 7.In the "Additional configuration" section, scroll down to the "Encryption" option.
- 8.Enable the "Enable encryption" checkbox.
- 9.Select the appropriate AWS KMS key for encryption (or create a new one).
- 10.Click the "Continue" button.
- 11.Review the modifications and click on the "Modify DB Instance" button to save the changes.
2. Enable Encryption for Existing DB Snapshots
Enabling encryption for existing DB snapshots can be achieved by copying the snapshots and enabling encryption during the copy process. Here's how you can do it:
- 1.Sign in to the AWS Management Console.
- 2.Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
- 3.Choose the region where your RDS instance is located.
- 4.In the navigation pane, click on "Snapshots".
- 5.Select the DB snapshot you want to encrypt.
- 6.Click on the "Copy Snapshot" button at the top of the page.
- 7.In the "Encryption" section, select the appropriate AWS KMS key for encryption.
- 8.Click on the "Copy Snapshot" button to create the encrypted copy.
- 9.You can verify the encryption status of the newly created snapshot by checking its details.
Troubleshooting
1. KMS Key Permissions
If you encounter permission errors while enabling encryption for RDS instances or DB snapshots, ensure that your AWS Identity and Access Management (IAM) user has the necessary permissions to access the AWS KMS key. Make sure the user has the
kms:Encryptkms:Decrypt2. KMS Key Configuration
If you are unable to find an appropriate AWS KMS key for encryption during the modification or copy process, you might need to create a new key or verify that the existing key has the correct permissions and settings. For more details on KMS key configuration, refer to the AWS Key Management Service documentation.
Additional Notes
Enabling encryption for RDS instances and DB snapshots may cause a performance impact due to the additional encryption/decryption overhead. Ensure that your RDS instance has sufficient resources to handle the increased load.
Once encryption is enabled for an RDS instance or DB snapshot, it cannot be disabled. Make sure to carefully choose the appropriate settings and KMS key.
Regularly monitor and review your DB snapshot encryption status to ensure compliance with the policy.