🛡️ AWS RDS Cluster Encryption is not enabled🟢

• Contextual name: 🛡️ Cluster Encryption is not enabled🟢
• ID: /ce/ca/aws/rds/cluster-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Cluster
  • 🔌 AWS RDS Cluster - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [RDS.27] RDS DB clusters should be encrypted at rest
• AWS Security Hub: [DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
• AWS Security Hub: [Neptune.1] Neptune DB clusters should be encrypted at rest

Description

Open File

Description

This policy identifies AWS RDS Clusters that are not configured with encryption at rest. Amazon RDS uses AWS Key Management Service (KMS) to manage encryption keys. When encryption at rest is enabled, it protects the underlying storage for DB clusters, as well as automated backups, read replicas, and snapshots.

Rationale

Since databases often contain sensitive and business-critical information, enabling encryption at rest is strongly recommended to safeguard data against unauthorized access or disclosure. When RDS encryption is enabled, all associated data, including the cluster storage, automated backups, read replicas, and snapshots, is securely encrypted.

Audit

This policy flags an AWS RDS Cluster as INCOMPLIANT if the Storage Encrypted checkbox is not set to true.

Remediation

Open File

Remediation

Encrypt the Cluster

From Command Line

To encrypt an existing unencrypted RDS cluster, follow these steps:

1. Create a snapshot of the unencrypted cluster:

   aws rds create-db-cluster-snapshot \
       --db-cluster-identifier {{unencrypted-cluster-id}} \
       --db-cluster-snapshot-identifier {{snapshot-id}}

2. Copy the snapshot with encryption enabled:

   aws rds copy-db-cluster-snapshot \
   --source-db-cluster-snapshot-identifier {{snapshot-id}} \
       --target-db-cluster-snapshot-identifier {{encrypted-snapshot-id}} \
       --kms-key-id {{your-kms-key-id}}

3. Restore the encrypted snapshot to a new cluster:

   aws rds restore-db-cluster-from-snapshot \
       --db-cluster-identifier {{new-encrypted-cluster-id}} \
       --snapshot-identifier {{encrypted-snapshot-id}} \
       --engine {{engine-name}}

4. Update application connection strings to point to the new encrypted cluster.

5. Delete the old unencrypted cluster after confirming successful migration:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.1] Neptune DB clusters should be encrypted at rest			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.27] RDS DB clusters should be encrypted at rest			1		no data
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			20		no data
💼 Cloudaware Framework → 💼 Data Encryption			70		no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			17		no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			18		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43		no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	36		no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	25		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	25		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			27		no data