Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: RDS DB Snapshots Should Be Encrypted at Rest

This rule ensures that RDS DB snapshots are encrypted to maintain data security.

RuleRDS DB snapshots should be encrypted at rest
FrameworkNIST 800-53 Revision 5
Severity
Medium

Rule Description:

RDS DB snapshots should be encrypted at rest in order to comply with the NIST 800-53 Revision 5 security control for protecting sensitive data. Encrypting DB snapshots ensures that the data at rest is secure and cannot be accessed without the appropriate decryption keys.

Troubleshooting Steps:

  2. 1.
    Check if your RDS DB snapshot is already encrypted.
  4. 2.
    Verify if the appropriate encryption settings are configured for your RDS DB instance.
  6. 3.
    Confirm that the account used to manage your RDS DB instance has the necessary permissions to enable encryption for DB snapshots.
  8. 4.
    Ensure that you are using the latest version of the AWS CLI or the RDS API to manage your RDS resources.

Necessary Codes:

To encrypt your RDS DB snapshots at rest, you need to modify the DB instance settings. The following AWS CLI command can be used to enable DB snapshot encryption:

aws rds modify-db-snapshot --db-snapshot-identifier <snapshot-identifier> --encrypted --kms-key-id <kms-key-id>

Step-by-Step Guide for Remediation:

  2. 1.

    Identify the RDS DB instance for which you want to enable encryption for DB snapshots.

  4. 2.

    Ensure that you have the necessary permissions to modify the DB instance settings and enable encryption.

  6. 3.

    Open the AWS Command Line Interface (CLI) or any other CLI tool that supports AWS SDK.

  8. 4.

    Run the following command to enable DB snapshot encryption:

aws rds modify-db-snapshot --db-snapshot-identifier <snapshot-identifier> --encrypted --kms-key-id <kms-key-id>

Replace 

<snapshot-identifier>
with the identifier of your RDS DB snapshot that you want to encrypt, and 
<kms-key-id>
with the ID of the KMS key that you want to use for encryption.

  2. 1.
    Wait for the modification to complete. You can check the status of the DB snapshot encryption using the following command:
aws rds describe-db-snapshots --db-snapshot-identifier <snapshot-identifier>

Replace 

<snapshot-identifier>
with the identifier of your RDS DB snapshot.

  2. 1.

    Verify that the encryption status of the DB snapshot is now "Encrypted".

  4. 2.

    Repeat the above steps for any other RDS DB snapshots that need to be encrypted at rest.

By following these steps, you can ensure that your RDS DB snapshots comply with the NIST 800-53 Revision 5 security control for encryption at rest.

Is your System Free of Underlying Vulnerabilities?
Find Out Now