AWS-RDS-RDS-Snapshot-Encryption

Owned by naveen
Last updated: Jun 07, 2022
2 min read

Severity: Medium

Description: This control ensures that database snapshots are encrypted. Encryption for database instances should be enabled to ensure encryption of data-at-rest. Encrypting Database snapshots ensures encryption of data-at-rest. If master key (AWS KMS) permissions are configured correctly, encrypting snapshot acts as secondary control mechanism controlling permissions to restore the database snapshots.

Remediation Steps:

Perform following to update RDS instance snapshot encryption :

  1. Login to the AWS Management Console at https://console.aws.amazon.com as root user.

  2. Navigate to RDS console.

  3. Step1 - Create Encrypted copy of an unencrypted snapshot

    1. On Navigation pane on left side, click Snapshots.

    2. Select the snapshot to encrypt.

    3. In case of automated snapshots, Order snapshots by DB instance or Cluster and select the most recent snapshot for the DB instance from the ordered list.

    4. Click Snapshot Actions, choose Copy Snapshot.

    5. Choose desired Destination Region and enter New DB Snapshot Identifier.

    6. Select Copy Tags id needed.

    7. Set Enable Encryption to Yes.

    8. While selecting Master Key to encrypt snapshot copy, select either (Default) aws/rds for Customer Managed key.

    9. Click Copy Snapshot.

    10. After the snapshot status is available, the Encrypted field will be True to indicate the snapshot is encrypted.

  4. Step 2 - Delete Manually created unencrypted snapshot

    1. On Navigation pane on left side, click Snapshots.

    2. Select the snapshot to delete.

    3. Click Actions, choose delete.

    4. Click Delete.

  5. Step3 - Deleting DB instance deletes all automated backups associated with it. To disable automated backups immediately without deleting an instance

    1. On Navigation pane on left side, click Snapshots.

    2. For an unencrypted automated Snapshot, identify associated DB instance from DB instance or Cluster column.

    3. On Navigation pane on left side, click Instances to modify automatic backup settings for the associated DB instance.

    4. Select the DB instance.

    5. Choose Instance Actions, and then choose Modify. The Modify DB Instance window appears.

    6. For Backup Retention Period, choose 0.

    7. Select Apply Immediately. Otherwise associated automated backups will not be deleted until your next maintenance window.

    8. Choose Continue.

    9. On the confirmation page, choose Modify DB Instance to save changes and disable automated backups.

  6. To create encrypted database instance from unencrypted database instance and ensure all the automated snapshots are encrypted, follow steps :

    1. Create Encrypted copy of an unencrypted snapshot

    2. Restore a new (encrypted) DB instance from an encrypted DB snapshot

    3. Ensure dependent applications are connecting to new (encrypted) DB Instance

    4. Delete Older (unencrypted) DB instance

    5. Delete snapshots for older database instance if exist.

Important:

  • To restore encrypted snapshot users need explicate access permissions to encryption keys as well

  • For database instances where encryption is enabled, automated backups/snapshots will be encrypted by default.

  • For database instances where encryption is not enabled, automated backups/snapshots will not be encrypted by default. To adhere with requirement of encryption-at-rest, it is recommended to not to have database instances where encryption is disabled.

  • While creating snapshot replica, user can choose to enable/disable encryption for new snapshot (replica).

  • While restoring database from snapshot, user can choose encryption setting for new database instance irrespective of encryption setting on the database snapshot.

Reference :

Blue Hexagon Proprietary