Logo of Trend Micro

RDS Encryption Enabled

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: RDS-004

Ensure that your RDS database instances are encrypted to fulfill compliance requirements for data-at-rest encryption. The RDS data encryption and decryption is handled transparently and does not require any additional action from you or your application.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When dealing with production databases that hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access. With RDS encryption enabled, the data stored on the instance underlying storage, the automated backups, Read Replicas, and snapshots, become all encrypted. The RDS encryption keys implement AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure through AWS Key Management Service (AWS KMS).

Note: AWS RDS encryption is not available for all database instance types. The instance types that are currently supporting encryption are: db.t2.large, db.m3.medium to db.m3.2xlarge, db.m4.large to db.m4.10xlarge, db.r3.large to db.r3.8xlarge and db.cr1.8xlarge.

Audit

To determine if your RDS database instances are encrypted, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select See Details.

06 Under Encryption Details section, search for the Encryption Enabled status:

If the current status is set to No, data-at-rest encryption is not enabled for the selected RDS database instance

If the current status is set to No, data-at-rest encryption is not enabled for the selected RDS database instance.

07 Repeat steps no. 4 – 6 for each RDS instance provisioned in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names, available in the selected AWS region (US East region in this case): 

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier (name): 

[
    "prod-mysql-db"
]

03 Run again describe-db-instances command (OSX/Linux/UNIX) using the RDS instance identifier returned earlier, to determine if the selected database instance is currently encrypted: 

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier prod-mysql-db
	--query 'DBInstances[*].StorageEncrypted'

04 The command output should return the encryption status (as the StorageEncrypted parameter value) for the selected instance (true for enabled, false for disabled): 

aws rds describe-db-instances
	--region [
    	false
	]

05 If the StorageEncrypted parameter value is set to false, data-at-rest encryption is not enabled for the selected RDS database instance. 

aws rds describe-db-instances
	--region [
	    false
	]

06 Repeat steps no. 1 – 4 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To enable data encryption for your existing RDS instances you need to re-create (back up and restore) them with encryption flag enabled, by performing the following steps:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Instances.

04 Select the RDS database instance that you want to encrypt.

05 Click Instance Actions button from the dashboard top menu and select Take Snapshot.

06 On the Take DB Snapshot page, enter a name for the instance snapshot in the Snapshot Name field and click Take Snapshot (the backup process may take few minutes and depends on your instance storage size).

07 Select the new created snapshot and click the Copy Snapshot button from the dashboard top menu.

08 On the Make Copy of DB Snapshot page, perform the following:

  1. In the New DB Snapshot Identifier field, enter a name for the new snapshot (copy).
  2. Check Copy Tags so the new snapshot can have the same tags as the source snapshot.
  3. Select Yes from the Enable Encryption dropdown list to enable encryption. You can choose to use the AWS default encryption key or your custom key (key ARN required) by selecting it from the Master Key dropdown list.

09 Click Copy Snapshot to create an encrypted copy of the selected instance snapshot.

10 Select the new snapshot copy (encrypted) and click Restore Snapshot button from the dashboard top menu. This will restore the encrypted snapshot to a new database instance.

11 On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier* field.

12 Review the instance configuration details and click Restore DB Instance.

13 As soon as the new instance provisioning process is completed (its status becomes available), you can update your application configuration to refer to the endpoint:

you can update your application configuration to refer to the endpoint

of the new (encrypted) database instance. Once the database endpoint is changed at your application level, you can remove the unecrypted instance.

14 Repeat steps no. 4 – 13 for each RDS instance that you want to encrypt, available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names (identifiers), available in the selected AWS region: 

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return each database instance identifier: 

[
    "prod-mysql-db"
]

03 Run create-db-snapshot command (OSX/Linux/UNIX) to create a snapshot for the selected database instance. The following command example creates a snapshot named prod-mysql-db-snapshot from an RDS instance named prod-mysql-db: 

aws rds create-db-snapshot
	--region us-east-1
	--db-snapshot-identifier prod-mysql-db-snapshot
	--db-instance-identifier prod-mysql-db

04 The command output should return the new snapshot metadata: 

{
    "DBSnapshot": {
        "Engine": "mysql",
        "Status": "creating",
        "AvailabilityZone": "us-east-1b",
        "PercentProgress": 0,
        "MasterUsername": "webappdb",
        "Encrypted": false,
        "LicenseModel": "general-public-license",
        "StorageType": "gp2",
        "VpcId": "vpc-f7ac5792",
        "DBSnapshotIdentifier": "prod-mysql-db-snapshot",
        "InstanceCreateTime": "2016-04-30T15:44:26.042Z",
        "OptionGroupName": "default:mysql-5-6",
        "AllocatedStorage": 5,
        "EngineVersion": "5.6.27",
        "SnapshotType": "manual",
        "Port": 3306,
        "DBInstanceIdentifier": "prod-mysql-db"
    }
}

05 Now run list-aliases command (OSX/Linux/UNIX) to list the KMS keys aliases (names) available in specified region: 

aws kms list-aliases
	--region us-east-1

06 The command output should return each key alias currently available. For our RDS encryption activation process, locate the ID (highlighted) of the AWS default KMS key provided for database encryption (alias/aws/rds) 

{
    "Aliases": [
        {
            "AliasArn": "arn:aws:kms:us-east-1:123456789012:alias/aws/ebs",
            "AliasName": "alias/aws/ebs",
            "TargetKeyId": "d6c03026-b0bd-451e-a864-a68355f4f035"
        },
        {
            "AliasArn": "arn:aws:kms:us-east-1:123456789012:alias/aws/rds",
            "AliasName": "alias/aws/rds",
            "TargetKeyId": "8d8d3ab9-db2a-428f-b82e-d38cb05ce1a4"
        },
        {
            "AliasArn": "arn:aws:kms:us-east-1:123456789012:alias/aws/s3",
            "AliasName": "alias/aws/s3"
        }
    ]
}

07 Run copy-db-snapshot command (OSX/Linux/UNIX) using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot: 

aws rds copy-db-snapshot
	--region us-east-1
	--source-db-snapshot-identifier prod-mysql-db-snapshot
	--target-db-snapshot-identifier prod-mysql-db-snapshot-encrypted
	--copy-tags
	--kms-key-id 8d8d4bg8-db2a-4268f-b52e-3dbab05ce9a5

08 The command output should return the encrypted instance snapshot (copy) metadata: 

{
    "DBSnapshot": {
        "Engine": "mysql",
        "Status": "creating",
        "AvailabilityZone": "us-east-1b",
        "SourceRegion": "us-east-1",
        "PercentProgress": 0,
        "MasterUsername": "webappdb",
        "Encrypted": true,
        "LicenseModel": "general-public-license",
        "StorageType": "gp2",
        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:
                     key/8d8d3ab9-db2a-428f-b82e-d38cb05ce1a4",
        "VpcId": "vpc-f7ac5792",
        "SourceDBSnapshotIdentifier": "arn:aws:rds:us-east-1:123456789012:
                                       snapshot:prod-mysql-db-snapshot",
        "DBSnapshotIdentifier": "prod-mysql-db-snapshot-encrypted",
        "InstanceCreateTime": "2016-04-30T15:44:26.042Z",
        "OptionGroupName": "default:mysql-5-6",
        "AllocatedStorage": 5,
        "EngineVersion": "5.6.27",
        "SnapshotType": "manual",
        "Port": 3306,
        "DBInstanceIdentifier": "prod-mysql-db"
    }
}

09 Run restore-db-instance-from-db-snapshot command (OSX/Linux/UNIX) to restore the encrypted snapshot created at the previous step to a new database instance: 

aws rds restore-db-instance-from-db-snapshot
	--region us-east-1
	--db-instance-identifier prod-mysql-db-encrypted
	--db-snapshot-identifier prod-mysql-db-snapshot-encrypted

10 If successful, the command output should return the new encrypted database instance metadata: 

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "webappdb",
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        ...
        "DbiResourceId": "db-GPXVANNOGAXV5BMSEF2U2JEW5A",
        "CACertificateIdentifier": "rds-ca-2015",
        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:
                     key/8d8d3ab9-db2a-428f-b82e-d38cb05ce1a4",
        "StorageEncrypted": true,
        "DBInstanceClass": "db.m3.medium",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "prod-mysql-db-encrypted"
    }
}

11 Run describe-db-instances command (OSX/Linux/UNIX) to make sure the new database instance is encrypted: 

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier prod-mysql-db-encrypted
	--query 'DBInstances[*].StorageEncrypted'

12 The command output should return the encryption status (as the StorageEncrypted parameter value) for the selected instance (true for enabled, false for disabled): 

[
    true
]

13 Repeat steps no. 1 – 12 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

References

Publication date May 1, 2016

Related RDS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

RDS Encryption Enabled

Risk level: High