Rule: RDS DB Snapshots Should Be Encrypted at Rest

This rule ensures that RDS DB snapshots are encrypted to maintain data security.

Rule	RDS DB snapshots should be encrypted at rest
Framework	NIST 800-53 Revision 5
Severity	✔ Medium

Rule Description:

RDS DB snapshots should be encrypted at rest to comply with the security requirement outlined in NIST 800-53 Revision 5. Encrypting DB snapshots adds an additional layer of protection to the data stored in the RDS database.

Troubleshooting Steps:

1.
Verify if the RDS instance is using the appropriate encryption setting.

2.
Check if the automatic DB snapshot feature is enabled.

3.
Ensure that the proper permissions are granted to the IAM role associated with the RDS instance.

Necessary Codes:

There are no specific codes required for this rule. However, you can use the AWS Command Line Interface (CLI) to configure the encryption for RDS DB snapshots.

Step-by-Step Guide for Remediation:

1. Verify Encryption Setting:

1.
Open the AWS Management Console and navigate to the Amazon RDS service.

2.
Select the appropriate RDS DB instance that you want to verify the encryption setting for.

2. Check Automatic DB Snapshot Feature:

1.
In the RDS console, select the RDS instance.

2.
Go to the "Configuration" tab.

3.
Check if the "Backup retention period" is set and if automated backups are configured.

4.
If automated backups are not enabled, enable them.

3. Grant Necessary Permissions:

1.
Identify the IAM role associated with the RDS instance.

2.
Ensure that the IAM role has the necessary permissions to access and manage encrypted snapshots.
- Specifically, it should have permissions like "rds:CreateDBSnapshot", "rds:DeleteDBSnapshot", "rds:CopyDBSnapshot", etc.

CLI Command for Encryption:

You can use the AWS CLI to enable encryption for RDS DB snapshots. Here's an example command:

aws rds modify-db-instance \
    --db-instance-identifier <instance-id> \
    --enable-storage-encryption \
    --apply-immediately

Make sure to replace

<instance-id>

with the actual identifier of your RDS instance.

Summary:

By following the provided steps, you can comply with the NIST 800-53 Revision 5 requirement and ensure that RDS DB snapshots are encrypted at rest. Regularly verify the encryption settings and ensure that automated backups are enabled to maintain a secure environment for your RDS databases.

Rule: RDS DB Snapshots Should Be Encrypted at Rest

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}1. Verify Encryption Setting:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}2. Check Automatic DB Snapshot Feature:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}3. Grant Necessary Permissions:

Is your System Free of Underlying Vulnerabilities? Find Out Now

1. Verify Encryption Setting:

2. Check Automatic DB Snapshot Feature:

3. Grant Necessary Permissions:

Is your System Free of Underlying Vulnerabilities?
Find Out Now