Ensure that your Amazon Relational Database Service (RDS) snapshots are encrypted in order to achieve compliance for data-at-rest encryption within your organization. The RDS snapshot encryption and decryption process is handled transparently and does not require any additional action from you or your application. The keys used for AWS RDS database snapshot encryption can be entirely managed and protected by the Amazon Web Services key management infrastructure or fully managed by the AWS customer through Customer Master Keys (CMKs).
This rule can help you with the following compliance standards:
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When working with production databases that hold sensitive and critical data, it is strongly recommended to implement encryption at rest to protect your data from attackers or unauthorized personnel.
Audit
To determine if there are any unencrypted RDS database snapshots available in your AWS account, perform the following actions:
Remediation / Resolution
To encrypt existing Amazon RDS database snapshots available within your AWS account, perform the following actions:
References
- AWS Documentation
- Encrypting Amazon RDS Resources
- Copying a Snapshot
- Sharing a DB Snapshot
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-db-snapshots
- copy-db-snapshot
- delete-db-snapshot
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Enable RDS Snapshot Encryption
Risk level: Medium