AWS-RDS-RDS-Encryption-Enabled

Severity: Medium

Description: This control ensures that encryption on the database. Encryption for database instances should be enabled to ensure encryption of data-at-rest. When snapshot is made public, Any AWS account user can copy it impacting confidentiality of the data stored in database. It is recommended that DB snapshot visibility should be private.

Remediation Steps:

Perform following to update RDS instance encryption :

1. Login to the AWS Management Console at https://console.aws.amazon.com as root user.

2. Navigate to RDS console.

3. Step1 - Take recent manual snapshot for the DB instance (Optional as recent automated snapshot can be used).

   1. On Navigation pane on left side, click Instances.

   2. Select a DB instance that is not encrypted.

   3. Click on Instance Actions and choose Take Snapshot.

   4. Configure Snapshot Name.

   5. Click Take Snapshot.

   6. It will create unencrypted snapshot for unencrypted DB instance.

4. Step 2 - create an encrypted copy of an unencrypted snapshot

   1. On Navigation pane on left side, click Snapshots.

   2. Select the most recent snapshot to encrypt.

   3. In case of automated snapshots, Order snapshots by DB instance or Cluster and select the most recent snapshot for the DB instance from the ordered list.

   4. Click Snapshot Actions, choose Copy Snapshot.

   5. Choose desired Destination Region and enter New DB Snapshot Identifier.

   6. Select Copy Tags id needed.

   7. set Enable Encryption to Yes.

   8. While selecting Master Key to encrypt snapshot copy, select either (Default) aws/rds for AWS managed Key or Customer Managed key.

   9. Click Copy Snapshot.

   10. After the snapshot status is available, the Encrypted field will be True to indicate the snapshot is encrypted.

5. Step3 - restore a new encrypted DB instance from an encrypted DB snapshot

   1. On Navigation pane on left side, click Snapshots.

   2. Select the encrypted DB snapshot.

   3. Click Actions, choose Restore Snapshot to open Restore DB Instance.

   4. On the Restore DB Instance, in the DB Instance Identifier field, type the name for restored DB instance.

   5. Select Copy Tags id needed.

   6. Set Enable Encryption to Yes.

   7. Configure remain setting on Restore DB Instance to match with the concerned unencrypted DB instance.

   8. While selecting Master Key to encrypt DB instance select either (Default) aws/rds for Customer Managed key.

   9. Choose Restore DB Instance.

Important:

• Encrypting existing DB instance involves creating an encrypted copy from unencrypted DB snapshot and restoring encrypted copy of a snapshot the as new DB instance. New DB instance will require different connection parameters and hence dependent applications will require change in connection string to communicate with newly created DB instance.

• Additionally, to restore the functionality of the DB instance to that of the older DB instance associated security groups (applications as well as newly created DB instance) may need modifications.

• After required connection string modifications and security group updates, ensure all applications are successfully connecting and querying to the new (encrypted) DB instance.

• Now Older (Unencrypted) DB instance can be deleted.

Reference :

• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Availability

• Encrypting Amazon RDS resources - Amazon Relational Database Service

• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html#USER_RestoreFromSnapshot.CON

• Deleting a DB instance - Amazon Relational Database Service