Rule: RDS DB Instance Encryption at Rest Enabled

RDS DB Instance Encryption at Rest for GxP 21 CFR Part 11

Description

Troubleshooting Steps

2. 1.

   Check IAM (Identity and Access Management) Permissions: Ensure that the IAM user or role you are using has the necessary permissions to enable encryption for the RDS instance. Make sure the IAM user or role has the

   rds:ModifyDBInstance

   permission.

4. 2.

   Verify AWS KMS (Key Management Service) Permissions: If you are using AWS KMS for encryption, confirm that the IAM user or role has the required permissions to access and manage KMS keys. The IAM user or role should have the

   kms:CreateKey

   ,

   kms:Encrypt

   , and

   kms:DescribeKey

   permissions.

6. 3.

   Review RDS Instance Availability: Check if the RDS instance is available and running. You cannot modify encryption settings for a stopped or inaccessible instance.

8. 4.

   Review VPC (Virtual Private Cloud) Configuration: Ensure that the RDS instance is launched within a VPC that has the necessary subnets, security groups, and routing configurations to support encryption at rest.

10. 5.

    Check RDS Instance Compatibility: Verify that the RDS database engine and version you are using support encryption at rest. Some older versions may not have this capability.

12. 6.

    Review AWS KMS Key Policies: If you are using KMS for encryption, double-check the key policy associated with the KMS key being used. Ensure that the IAM user or role has appropriate key usage permissions.

14. 7.

    Review RDS DB Instance Configuration: Validate the configuration of the RDS instance to ensure compatibility with encryption at rest. Check that the instance type, storage type, and other parameters comply with the encryption requirements.

Necessary Codes

Step-by-Step Guide for Enablement

2. 1.

   Sign in to the AWS Management Console: Go to the AWS Management Console (https://console.aws.amazon.com/) and sign in using your credentials.

4. 2.

   Navigate to the RDS Service: Open the AWS Management Console and search for the "RDS" service. Click on it to open the Amazon RDS dashboard.

6. 3.

   Select the RDS DB Instance: Choose the desired RDS DB instance for which you want to enable encryption at rest.

8. 4.

   Click on "Modify": In the RDS instance details page, click on the "Modify" button to edit the instance settings.

10. 5.

    Scroll down to the "Storage" section: Within the modification page, scroll down to the "Storage" section.

12. 6.

    Enable Encryption: Under the "Storage" section, find the "Encryption" option and select the desired encryption option. You can choose either "AWS Key Management Service" or "Amazon S3 Key Management Service" based on your preference and requirements.

14. 7.

    Configure Encryption Key: If you selected "AWS Key Management Service" as the encryption option, choose the appropriate KMS key from the dropdown list. If you selected "Amazon S3 Key Management Service," enter the Amazon S3 bucket ARN (Amazon Resource Name) and Amazon S3 object ARN in the respective fields.

16. 8.

    Save the Changes: After configuring the encryption settings, scroll down to the bottom of the page and click on the "Next" button.

18. 9.

    Review and Apply Changes: Review the modifications you made and ensure everything is correct. Once confirmed, click on the "Modify DB Instance" button to apply the changes.

20. 10.

    Monitor Encryption Progress: Monitor the modifications progress to ensure encryption at rest is successfully enabled for the RDS DB instance.