Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS DB Instance Encryption at Rest Enabled

Ensure RDS DB instance encryption at rest is enabled to maintain data security.

RuleRDS DB instance encryption at rest should be enabled
FrameworkNIST 800-53 Revision 5
Severity
Low

Rule Description

RDS DB instance encryption at rest should be enabled for NIST 800-53 Revision 5 is a security requirement that mandates the use of data encryption for Amazon RDS (Relational Database Service) instances. This rule aligns with the NIST (National Institute of Standards and Technology) Special Publication 800-53 Revision 5 guidelines, which emphasize the need for encryption to protect sensitive information stored in databases. By enforcing this rule, organizations can enhance the security of their RDS databases and comply with industry standards.

Troubleshooting Steps

If the RDS DB instance encryption at rest is not enabled, follow these troubleshooting steps to rectify the issue:

  2. 1.

    Verify the current encryption status: Check if encryption is already enabled for the RDS DB instance. You can do this through the AWS Management Console, AWS CLI, or SDKs.

  4. 2.

    Enable encryption at rest: If encryption is not yet enabled, you need to configure it for the RDS DB instance. Ensure that you have the appropriate permissions to modify the RDS instance settings.

  6. 3.

    Generate or import a master key: To enable encryption, you need to create or import a master key. AWS Key Management Service (KMS) is used to manage the encryption keys. You can create a new key or use an existing key in the same region as the RDS instance.

  8. 4.

    Configure RDS DB instance encryption: Once you have a master key, enable encryption for the RDS DB instance by modifying its settings. Update the instance's encryption attribute to use the KMS key generated/imported in the previous step.

  10. 5.

    Test encryption: After enabling encryption, test the RDS DB instance to ensure it functions properly. Access and verify the data stored in the database to confirm that encryption has not caused any issues.

Necessary Codes

If you prefer to perform the troubleshooting steps using AWS CLI, here are the necessary codes for enabling encryption at rest for an RDS DB instance:

  2. 1.

    Create or import a KMS master key:

    aws kms create-key --region <region-name>
  4. 2.

    Enable encryption for the RDS DB instance:

    aws rds modify-db-instance --db-instance-identifier <db-instance-identifier> \
--region <region-name> \
--storage-encrypted \
--kms-key-id <kms-key-id>

    Replace 

    <db-instance-identifier>
    with the identifier of your RDS instance, 
    <region-name>
    with the desired AWS region, and 
    <kms-key-id>
    with the Amazon Resource Name (ARN) of the KMS key you created/imported.

  6. 3.

    Verify encryption status:

    aws rds describe-db-instances --db-instance-identifier <db-instance-identifier> --region <region-name> --query "DBInstances[*].StorageEncrypted"

    Replace 

    <db-instance-identifier>
    with the identifier of your RDS instance and 
    <region-name>
    with the desired AWS region.

Step-by-Step Guide for Remediation

Follow these step-by-step instructions to enable encryption at rest for an RDS DB instance using the AWS Management Console:

  2. 1.
    Sign in to the AWS Management Console.
  4. 2.
    Open the Amazon RDS service.
  6. 3.
    Choose the region where your target RDS DB instance resides.
  8. 4.
    In the left navigation pane, select "Databases."
  10. 5.
    Select the desired RDS DB instance from the list.
  12. 6.
    Click on the "Modify" button in the top navigation bar.
  14. 7.
    Scroll down to the "Storage" section.
  16. 8.
    Check the "Enable encryption" option.
  18. 9.
    Choose the appropriate KMS master key from the "Master Key" dropdown menu. If you need to create a new key, click on the "Create a new AWS managed key" or "Create a new custom key" link.
  20. 10.
    Click the "Continue" button.
  22. 11.
    Review the summary of modifications and ensure that the encryption changes are correct.
  24. 12.
    Click the "Modify DB instance" button to apply the encryption settings.
  26. 13.
    Wait for the modification process to complete.
  28. 14.
    Verify the encryption status by checking the "Storage Encrypted" attribute for the updated RDS DB instance.
  30. 15.
    Test the RDS DB instance to ensure it functions properly and that the encrypted data can be accessed and utilized without any issues.

By following these steps, you can enable encryption at rest for your RDS DB instance and comply with the NIST 800-53 Revision 5 security requirement.

Is your System Free of Underlying Vulnerabilities?
Find Out Now