Rule for RDS DB Instance Encryption at Rest
Ensure encryption at rest is enabled for RDS DB instances to protect sensitive data.
| Rule | RDS DB instance encryption at rest should be enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description:
RDS DB instance encryption at rest should be enabled to comply with the NIST Cybersecurity Framework (CSF) v1. Encryption at rest provides an extra layer of security by encrypting the data stored in the database instance volumes. This helps protect sensitive information against unauthorized access in case of breaches or physical theft.
Troubleshooting Steps:
If encryption at rest is not enabled for an RDS DB instance, follow these troubleshooting steps:
- 1.Ensure that you have appropriate privileges to enable encryption for the RDS DB instance.
- 2.Verify if the AWS Key Management Service (KMS) key required for encryption is properly configured and accessible.
- 3.Check if the RDS DB instance is in a supported region. Not all regions may support encryption at rest for RDS instances.
- 4.Confirm that the RDS DB instance volume type supports encryption. Some older instance types may not be compatible.
- 5.Check the AWS Management Console, Command Line Interface (CLI), or SDKs to see if encryption at rest is already enabled but not functioning as expected.
- 6.Review the AWS CloudTrail logs for any errors related to encryption at rest.
Necessary Codes:
There are no specific codes required for this rule as it involves enabling encryption at rest for an RDS DB instance. However, you may need to use AWS CLI commands for remediation or verification purposes.
Step-by-step Guide:
Follow these steps to enable encryption at rest for an RDS DB instance:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the Amazon RDS service dashboard.
- 3.Select the appropriate region from the region selector.
- 4.Click on "Databases" in the left-hand menu.
- 5.Choose the RDS DB instance for which you want to enable encryption at rest.
- 6.Click on "Modify" from the "Actions" dropdown menu.
- 7.In the "Modify DB Instance" page, scroll down to the "Storage" section.
- 8.Check the "Enable encryption" option.
- 9.Select the AWS KMS key to be used for encryption. If no key exists, create one using AWS Key Management Service (KMS).
- 10.Review the other modified settings and provide any necessary changes.
- 11.Click on "Continue" and then "Modify DB Instance" to apply the changes.
- 12.Monitor the modification progress in the RDS console.
- 13.Once the modification is completed, encryption at rest will be enabled for the RDS DB instance.
Note: It may take some time for the changes to propagate and encryption to be fully established.