Products

Solutions

Company

Book A Live Demo

Rule: RDS DB Instance Encryption at Rest Enabled

This rule ensures that RDS DB instance encryption at rest is enabled for enhanced security measures.

Rule	RDS DB instance encryption at rest should be enabled
Framework	GxP EU Annex 11
Severity	✔ Low

Rule Description

RDS DB instance encryption at rest should be enabled for GxP EU Annex 11 compliance. This rule ensures that all data stored in the RDS database instances is encrypted to meet the security requirements outlined in GxP EU Annex 11 regulations. By enabling encryption at rest, the sensitive data stored in the RDS DB instance is protected from unauthorized access and enhances the overall security posture of the system.

Remediation Steps

1. Check if Encryption at Rest is Enabled

First, you need to verify whether encryption at rest is already enabled for the RDS DB instance. Here's how you can do it:

1.
Open the AWS Management Console and navigate to the Amazon RDS service.

2.
Choose the appropriate region where the RDS DB instance is located.

3.
Select the RDS DB instance in question from the list of instances.

4.
In the Overview tab, check the Storage section.

5.
If the Storage encryption field shows "Enabled," then encryption at rest is already enabled. Proceed to the next step only if it is disabled.

2. Modify DB Instance to Enable Encryption at Rest

To enable encryption at rest for the RDS DB instance, follow these steps:

1.
Open the AWS Management Console and navigate to the Amazon RDS service.

2.
Choose the appropriate region where the RDS DB instance is located.

3.
Select the RDS DB instance that needs encryption at rest enabled.

4.
Click on the Actions button and select Modify from the dropdown menu.

5.
Scroll down to the Storage section.

6.
In the Storage section, enable the Enable encryption at rest checkbox.

7.
Optionally, you can also choose the type of key to use for encryption by selecting a customer-managed key (CMK) from the Master Key dropdown. If you don't select a CMK, RDS will use the default AWS managed key (AWS KMS key).

8.
Review the changes and click on Modify DB Instance to apply the encryption at rest settings.

3. Monitor Encryption Status

Once the modification is complete, monitor the status of encryption at rest for the RDS DB instance:

1.
Go back to the list of RDS DB instances in the AWS Management Console.

2.
Select the modified RDS DB instance.

3.
In the Overview tab, verify that the Storage encryption field now displays "Enabled."

4.
Additionally, you can also use the AWS CLI or SDKs to check the encryption status programmatically.

Troubleshooting

Issue: Encryption at Rest Failed to Enable

If enabling encryption at rest encounters an error or fails, follow these steps to troubleshoot the issue:

1.
Go to the AWS Management Console and navigate to the Amazon RDS service.

2.
Select the appropriate region where the RDS DB instance is located.

3.
Choose the RDS DB instance that failed to enable encryption at rest.

4.
Check the Events & Logs section for any error messages related to the encryption process.

5.
Ensure that the necessary IAM permissions are assigned to the IAM user/role making the modification request.

6.
Check if the AWS Key Management Service (KMS) endpoint is accessible and functioning correctly.

7.
Verify if the selected customer-managed key (CMK) exists and has the required permissions.

8.
If the issue persists, consider contacting AWS Support for further assistance.

Additional Information

Enabling encryption at rest for RDS DB instances provides an extra layer of security and ensures compliance with GxP EU Annex 11 regulations.
Encryption at rest protects data stored on disk, snapshots, automated backups, and read replicas.
AWS Key Management Service (KMS) is used to manage encryption keys and can be integrated with RDS for encryption at rest.
Encryption at rest does not impact the performance of the RDS DB instance but offers significant security benefits.

Conclusion

Enabling encryption at rest for RDS DB instances as per GxP EU Annex 11 compliance is crucial to protect sensitive data and ensure the integrity and confidentiality of information. By following the provided remediation steps, you can seamlessly enable encryption at rest and meet the required security standards. Remember to regularly monitor the encryption status and troubleshoot any encountered issues promptly.

Rule: RDS DB Instance Encryption at Rest Enabled

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}1. Check if Encryption at Rest is Enabled

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}2. Modify DB Instance to Enable Encryption at Rest

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}3. Monitor Encryption Status

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Issue: Encryption at Rest Failed to Enable

Is your System Free of Underlying Vulnerabilities? Find Out Now

1. Check if Encryption at Rest is Enabled

2. Modify DB Instance to Enable Encryption at Rest

3. Monitor Encryption Status

Issue: Encryption at Rest Failed to Enable

Is your System Free of Underlying Vulnerabilities?
Find Out Now