AWS-RDS-RDS-CMK-Encryption

Owned by naveen
Last updated: Jun 07, 2022
2 min read

Severity: Medium

Description: This control ensures thatRDS Instance data is encrypted at rest using Customer managed KMS Key (CMK). Instances should be encrypted using CMK to have full key management capabilities and encrypt the data-at-rest. For an encrypted DB Instance, all logs, backups, and snapshots are encrypted automatically with the same CMK. There is no need to modify database client applications to use encryption.

Remediation Steps:

Perform following to update RDS instance CMK encryption :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to RDS console.

  3. Step1 -  Take manual snapshot for the DB Instance (optional if recent snapshot available)

    1. In the Navigation pane, choose Databases.

    2. Click on the Database instance.

    3. Click on Actions and choose Take Snapshot.

    4. Configure Snapshot Name and click Take Snapshot.

  4. Step 2 - Create an encrypted copy of DB snapshot from an unencrypted DB snapshot

    1. In Navigation pane, choose Snapshots.

    2. Select the snapshot to encrypt.

    3. Click Actions, choose Copy Snapshot.

    4. Choose desired Destination Region, and enter DB Snapshot Identifier.

    5. Select Copy Tags .

    6. Under Encryption, select Enable Encryption.

    7. Choose appropriate CMK under Master key.

    8. Click Copy Snapshot.

  5. Step 3 - Restore a DB Instance from a DB Instance snapshot

    1. In the Navigation pane, choose Snapshots.

    2. Select the CMK encrypted DB Instance snapshot, click "Actions" button.

    3. Choose Restore Snapshot.

    4. Under Settings, in the DB Instance Identifier.

    5. Enter the name of the new DB Instance.

    6. Select the appropriate DB Instance Class.

    7. Click Restore DB Instance.

  6. Step 4 - Delete older DB Instance

    1. In the Navigation pane, choose Databases.

    2. Select a DB Instance to delete.

    3. Click on Actions, choose Delete.

    4. For Create final Snapshot?|, choose Yes or No. For Final snapshot name type the name of your final DB snapshot.

    5. Type delete me in the box.

    6. Choose Delete.

Important:

  • Amazon RDS encryption is not available for every Instance Class.

  • Encryption status and key used to encrypt an RDS DB Instance is specified at creation time and cannot be changed later. A new similar Instance needs to be created.

  • Encrypting existing DB Instance or changing encrypting keys involves creating a snapshot of the DB Instance and restoring as new, encrypted DB Instance. New DB Instance will require different connection parameters and hence dependent applications will require changes in the connection string to communicate with newly created DB Instance.

Reference :

Blue Hexagon Proprietary