Rule: RDS DB Snapshots Should Be Encrypted at Rest
This rule ensures that RDS database snapshots are encrypted at rest for enhanced security.
| Rule | RDS DB snapshots should be encrypted at rest |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Medium |
Rule Description
RDS (Relational Database Service) is a managed database service provided by AWS (Amazon Web Services). In order to comply with GxP (Good Practices) and 21 CFR Part 11 regulations, it is necessary to ensure that all DB snapshots in the RDS environment are encrypted at rest. This ensures the confidentiality and integrity of sensitive data stored in these snapshots.
Rule Policy
To enforce the rule, the following policy should be implemented:
- All RDS DB snapshots must have encryption at rest enabled.
- Any new snapshots created should be automatically encrypted.
- Existing unencrypted snapshots should be identified and encrypted.
- Compliance with GxP 21 CFR Part 11 regulations must be continuously monitored and enforced.
Troubleshooting Steps
If any issues arise related to the encryption of RDS DB snapshots, the following troubleshooting steps can be followed:
- 1.
Verify RDS Encryption Status: Ensure that the RDS instances associated with the DB snapshots have encryption enabled. This can be checked through the AWS Management Console or by using the AWS Command Line Interface (CLI).
- 2.
Check Snapshot Encryption Status: Review the encryption status of each DB snapshot. Identify any unencrypted snapshots that need encryption.
- 3.
Enable Encryption for Unencrypted Snapshots: Take a backup of any unencrypted snapshots and then modify them to enable encryption. This can be done using the AWS Management Console or the AWS CLI.
- 4.
Monitor Encryption Compliance: Regularly review the RDS environment to ensure that all newly created snapshots are automatically encrypted and that there are no unencrypted snapshots present.
Necessary Codes
No specific codes are required for this rule. However, the following AWS CLI commands can be used for monitoring and enforcing the encryption compliance:
- To list all RDS DB snapshots:
aws rds describe-db-snapshots
- To modify an unencrypted snapshot to enable encryption:
aws rds modify-db-snapshot --db-snapshot-identifier <snapshot-id> --encrypted
Remediation Steps
The following step-by-step guide provides instructions on how to remediate the issue of non-encrypted RDS DB snapshots:
- 1.
Identify Unencrypted DB Snapshots: List all the RDS DB snapshots in your environment using the AWS Management Console or the AWS CLI command:
aws rds describe-db-snapshots - 2.
Enable Encryption for an Unencrypted Snapshot: Select an unencrypted DB snapshot that needs remediation and make a backup of it if necessary, as modifying the snapshot will involve creating a new snapshot. Then, use the AWS CLI command to modify and enable encryption for the snapshot:
aws rds modify-db-snapshot --db-snapshot-identifier <snapshot-id> --encrypted - 3.
Monitor Encryption Compliance: Regularly review the RDS environment to ensure that all newly created DB snapshots are automatically encrypted and no unencrypted snapshots remain.
- 4.
Repeat for All Unencrypted Snapshots: Repeat the above steps for each unencrypted DB snapshot until all snapshots are encrypted.
By following these steps, you will ensure that all RDS DB snapshots in your environment are encrypted at rest, thus complying with GxP 21 CFR Part 11 regulations.