ANNOUCEMENT Supercharge Your EKS Auto Mode with nOps - START NOW

Unencrypted AWS RDS Instances

Reduce your AWS costs by 50% on auto-pilot.
  • Risk-free commitment
  • Management Automatically pause idle resources
  • Automatically automatize your EKS cost
  • Book a Demo › |
    Share

    Ensure that your RDS database instances are encrypted to ensure encryption at rest data compliance. The RDS data encryption and decryption is handled transparently and does not require any additional action from you or your application.

    This rule can help you with the following compliance standards:

    This rule can help you work with the AWS Well-Architected Framework

    When dealing with production databases that hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorised access. When you enable RDS encryption, the data stored on the instance, the underlying storage, the automated backups, Read Replicas, and snapshots, all are encrypted. The RDS encryption keys implement AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure through AWS Key Management Service (AWS KMS).

    Audit

    To determine if your RDS database instances are encrypted, perform the following:

    1. Login to the AWS Management Console.

    2. Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

    3. In the navigation panel, under Dashboard, click DB Instances.

    4. Click on the DB Identifier that you want to examine.

    5. Click on Configuration Tab.

    6. Under Encryption section, search for the Encryption Enabled status:

    If the current status is set to No, data-at-rest encryption is not enabled for the selected RDS database instance.
     
    7. Repeat steps no. 4 – 6 for each RDS instance provisioned in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

    1. Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names, available in the selected AWS region (US East region in this case):

    aws rds describe-db-instances \\
    	--region us-east-1 \\
    	--query 'DBInstances[*].DBInstanceIdentifier'

    2. The command output should return each database instance identifier (name):

    [
        "database-2-instance-1",
        "database-wordpress",
        "exampledb",
        "test"
    ]

    3. Run again describe-db-instances command (OSX/Linux/UNIX) using the RDS instance identifier returned earlier, to determine if the selected database instance is currently encrypted:

    aws rds describe-db-instances \\
    	--region us-east-1 \\
    	--db-instance-identifier exampledb \\
    	--query 'DBInstances[*].StorageEncrypted'

    4. The command output should return the encryption status (as the StorageEncrypted parameter value) for the selected instance (true for enabled, false for disabled):

    [
        false
    ]

    5. If the StorageEncrypted parameter value is set to false, data-at-rest encryption is not enabled for the selected RDS database instance.
     
    6. Repeat steps no. 1 – 4 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

    Remediation / Resolution

    To enable data encryption for your existing RDS instances you need to re-create (back up and restore) them with encryption flag enabled, by performing the following steps:

    1. Login to the AWS Management Console.

    2. Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

    3. In the navigation panel, under Dashboard, click DB Instances.

    4. Click on the DB Identifier that you want to examine.

    5. Click Instance Actions dropdown on the top right corner and select Take Snapshot

    6. On the Take DB Snapshot page, enter a name for the instance snapshot in the Snapshot Name field and click Take Snapshot (the backup process may take few minutes and depends on your instance storage size).

    7. Monitor the progress of the snapshot in Snapshots Menu until it Progress = completed and Status = available

    8. Once the snapshot is completed, select the new created snapshot and choose the Copy Snapshot option from the Actions dropdown menu on the right corner.

    9. On the Make Copy of DB Snapshot page, perform the following:

    a. In the New DB Snapshot Identifier field, enter a name for the new snapshot (copy).

    b. Check Copy Tags so the new snapshot can have the same tags as the source snapshot.

    c. Select Yes from the Enable Encryption dropdown list to enable encryption. You can choose to use the AWS default encryption key or your custom key (key ARN required) by selecting it from the Master Key dropdown list.

    10. Click Copy Snapshot to create an encrypted copy of the selected instance snapshot.
     
    11. Monitor the progress of the snapshot in Snapshots Menu until it Progress = completed and Status = available
     
    12. Once the snapshot is completed, select the new created snapshot and choose the Restore Snapshot option from the Actions dropdown menu on the right corner.

    This will restore the encrypted snapshot to a new database instance.
     
    13. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier* field.

    14. Review the instance configuration details and click Restore DB Instance.
     
    15. As soon as the new instance provisioning process is completed (its status becomes available), you can update your application configuration to refer to the endpoint of the new (encrypted) database instance. Once the database endpoint is changed at your application level, you can remove the unencrypted instance.
     
    16. Repeat steps no. 4 – 15 for each RDS instance that you want to encrypt, available in the current region.
     
    17. Change the AWS region from the navigation bar to repeat the process for other regions.

    1. Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names (identifiers), available in the selected AWS region:

    aws rds describe-db-instances \\
    	--region us-east-1 \\
    	--query 'DBInstances[*].DBInstanceIdentifier'

    2. The command output should return each database instance identifier:

    [
        "database-2-instance-1",
        "database-wordpress",
        "exampledb",
        "test"
    ]

    3. Run create-db-snapshot command (OSX/Linux/UNIX) to create a snapshot for the selected database instance. The following command example creates a snapshot named exampledb-snapshot from an RDS instance named exampledb:

    aws rds create-db-snapshot \\
    	--region us-east-1 \\
    	--db-snapshot-identifier exampledb-snapshot \\
    	--db-instance-identifier exampledb

    4. The command output should return the new snapshot metadata:

    {
        "DBSnapshot": {
            "DBSnapshotIdentifier": "exampledb-snapshot",
            "DBInstanceIdentifier": "exampledb",
            "Engine": "mysql",
            "AllocatedStorage": 20,
            "Status": "creating",
            "Port": 3306,
            "AvailabilityZone": "us-east-1a",
            "VpcId": "vpc-09c2603aa4f2062ea",
            "InstanceCreateTime": "2020-11-19T04:33:39.434000+00:00",
            "MasterUsername": "exampleuser",
            "EngineVersion": "8.0.20",
            "LicenseModel": "general-public-license",
            "SnapshotType": "manual",
            "OptionGroupName": "default:mysql-8-0",
            "PercentProgress": 0,
            "StorageType": "gp2",
            "Encrypted": false,
            "DBSnapshotArn": "arn:aws:rds:us-east-1:695292474035:snapshot:exampledb-snapshot",
            "IAMDatabaseAuthenticationEnabled": false,
            "ProcessorFeatures": [],
            "DbiResourceId": "db-3XQY4F5WCMQLWKGBFI6NWQZU5M",
            "TagList": []
        }
    }

    5. Run describe-db-snapshots to track the progress of the snapshot

    aws rds describe-db-snapshots \\
    	--region us-east-1 \\
    	--db-snapshot-identifier exampledb-snapshot

    6. The command output should return the new instance metadata. Check the fields **Status** and PercentProgress . Keep running this command until **Status = available** and PercentProgress = 100

    {
        "DBSnapshots": [
            {
                "DBSnapshotIdentifier": "exampledb-snapshot",
                "DBInstanceIdentifier": "exampledb",
                "SnapshotCreateTime": "2021-09-08T21:37:48.452000+00:00",
                "Engine": "mysql",
                "AllocatedStorage": 20,
                **"Status": "available",**
                "Port": 3306,
                "AvailabilityZone": "us-east-1a",
                "VpcId": "vpc-09c2603aa4f2062ea",
                "InstanceCreateTime": "2020-11-19T04:33:39.434000+00:00",
                "MasterUsername": "exampleuser",
                "EngineVersion": "8.0.20",
                "LicenseModel": "general-public-license",
                "SnapshotType": "manual",
                "OptionGroupName": "default:mysql-8-0",
                **"PercentProgress": 100,**
                "StorageType": "gp2",
                "Encrypted": false,
                "DBSnapshotArn": "arn:aws:rds:us-east-1:695292474035:snapshot:exampledb-snapshot",
                "IAMDatabaseAuthenticationEnabled": false,
                "ProcessorFeatures": [],
                "DbiResourceId": "db-3XQY4F5WCMQLWKGBFI6NWQZU5M",
                "TagList": [],
                "OriginalSnapshotCreateTime": "2021-09-08T21:37:48.452000+00:00"
            }
        ]
    }

    7. Run copy-db-snapshot command (OSX/Linux/UNIX) using the default KMS key ID for RDS instances to create an encrypted copy of the database instance snapshot:

    aws rds copy-db-snapshot \\
    	--region us-east-1 \\
    	--source-db-snapshot-identifier exampledb-snapshot \\
    	--target-db-snapshot-identifier exampledb-snapshot-encrypted \\
    	--copy-tags \\
    	--kms-key-id alias/aws/rds

    8. The command output should return the encrypted instance snapshot (copy) metadata:

    {
        "DBSnapshot": {
            "DBSnapshotIdentifier": "exampledb-snapshot-encrypted",
            "DBInstanceIdentifier": "exampledb",
            "Engine": "mysql",
            "AllocatedStorage": 20,
            "Status": "creating",
            "Port": 3306,
            "AvailabilityZone": "us-east-1a",
            "VpcId": "vpc-09c2603aa4f2062ea",
            "InstanceCreateTime": "2020-11-19T04:33:39.434000+00:00",
            "MasterUsername": "exampleuser",
            "EngineVersion": "8.0.20",
            "LicenseModel": "general-public-license",
            "SnapshotType": "manual",
            "OptionGroupName": "default:mysql-8-0",
            "PercentProgress": 0,
            "SourceRegion": "us-east-1",
            "SourceDBSnapshotIdentifier": "arn:aws:rds:us-east-1:695292474035:snapshot:exampledb-snapshot",
            "StorageType": "gp2",
            "Encrypted": true,
            "KmsKeyId": "arn:aws:kms:us-east-1:695292474035:key/41448b8a-765b-4444-88ed-678cef198a5a",
            "DBSnapshotArn": "arn:aws:rds:us-east-1:695292474035:snapshot:exampledb-snapshot-encrypted",
            "IAMDatabaseAuthenticationEnabled": false,
            "ProcessorFeatures": [],
            "DbiResourceId": "db-3XQY4F5WCMQLWKGBFI6NWQZU5M",
            "TagList": [],
            "OriginalSnapshotCreateTime": "2021-09-08T22:00:18.733000+00:00"
        }
    }

    9. Run describe-db-snapshots to track the progress of the snapshot

    aws rds describe-db-snapshots \\
    	--region us-east-1 \\
    	--db-snapshot-identifier exampledb-snapshot-encrypted

    10. The command output should return the new instance metadata. Check the fields **Status** and PercentProgress . Keep running this command until **Status = available** and PercentProgress = 100

    {
        "DBSnapshots": [
            {
                "DBSnapshotIdentifier": "exampledb-snapshot-encrypted",
                "DBInstanceIdentifier": "exampledb",
                "SnapshotCreateTime": "2021-09-08T21:50:17.929000+00:00",
                "Engine": "mysql",
                "AllocatedStorage": 20,
                **"Status": "available",**
                "Port": 3306,
                "AvailabilityZone": "us-east-1a",
                "VpcId": "vpc-09c2603aa4f2062ea",
                "InstanceCreateTime": "2020-11-19T04:33:39.434000+00:00",
                "MasterUsername": "exampleuser",
                "EngineVersion": "8.0.20",
                "LicenseModel": "general-public-license",
                "SnapshotType": "manual",
                "OptionGroupName": "default:mysql-8-0",
                **"PercentProgress": 100,**
                "SourceRegion": "us-east-1",
                "SourceDBSnapshotIdentifier": "arn:aws:rds:us-east-1:695292474035:snapshot:exampledb-snapshot",
                "StorageType": "gp2",
                "Encrypted": true,
                "KmsKeyId": "arn:aws:kms:us-east-1:695292474035:key/41448b8a-765b-4444-88ed-678cef198a5a",
                "DBSnapshotArn": "arn:aws:rds:us-east-1:695292474035:snapshot:exampledb-snapshot-encrypted",
                "IAMDatabaseAuthenticationEnabled": false,
                "ProcessorFeatures": [],
                "DbiResourceId": "db-3XQY4F5WCMQLWKGBFI6NWQZU5M",
                "TagList": [],
                "OriginalSnapshotCreateTime": "2021-09-08T21:37:48.452000+00:00"
            }
        ]
    }

    11. Run restore-db-instance-from-db-snapshot command (OSX/Linux/UNIX) to restore the encrypted snapshot created at the previous step to a new database instance:

    aws rds restore-db-instance-from-db-snapshot \\
    	--region us-east-1 \\
    	--db-instance-identifier exampledb2 \\
    	--db-snapshot-identifier exampledb-snapshot-encrypted

    12. If successful, the command output should return the new encrypted database instance metadata:

    {
        "DBInstances": [
            {
                "DBInstanceIdentifier": "exampledb2",
                "DBInstanceClass": "db.t3.small",
                "Engine": "mysql",
                "DBInstanceStatus": "available",
                "MasterUsername": "exampleuser",
                "DBName": "exampledb",
                "Endpoint": {
                    "Address": "exampledb3.clm9f5vkzm5i.us-east-1.rds.amazonaws.com",
                    "Port": 3306,
                    "HostedZoneId": "Z2R2ITUGPM61AM"
                },
                "AllocatedStorage": 20,
    						...
                **"StorageEncrypted": true,**
                "KmsKeyId": "arn:aws:kms:us-east-1:695292474035:key/41448b8a-765b-4444-88ed-678cef198a5a",
                "DbiResourceId": "db-RS6LCPHBENJOIIZ4UVA7LJN3P4",
                "CACertificateIdentifier": "rds-ca-2019",
                "DomainMemberships": [],
                "CopyTagsToSnapshot": false,
                "MonitoringInterval": 0,
                "DBInstanceArn": "arn:aws:rds:us-east-1:695292474035:db:exampledb3",
                "IAMDatabaseAuthenticationEnabled": false,
                "PerformanceInsightsEnabled": false,
                "DeletionProtection": false,
                "AssociatedRoles": [],
                "TagList": [],
                "CustomerOwnedIpEnabled": false,
                "ActivityStreamStatus": "stopped"
            }
        ]
    }

    13. Run describe-db-instances command (OSX/Linux/UNIX) to make sure the new database instance is encrypted:

    aws rds describe-db-instances \\
            --region us-east-1 \\
            --db-instance-identifier exampledb2 \\
            --query 'DBInstances[*].StorageEncrypted'

    14. The command output should return the encryption status (as the StorageEncrypted parameter value) for the selected instance (true for enabled, false for disabled):

    [
        true
    ]

    15. Repeat steps no. 1 – 14 for each RDS instance provisioned in the current region.
     
    16. Change the AWS region by using the --region filter to repeat the process for other regions.

    Still Need Help?

    Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.