Skip to main content

πŸ›‘οΈ AWS RDS Instance Encryption is not enabled🟒

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-6ba5ecd21

Description​

Open File

Description​

Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.

Rationale​

Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.

Audit​

From Console​
  1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.
  2. In the navigation pane, under RDS dashboard, click Databases.
  3. Select the RDS Instance that you want to examine.
  4. Click Instance Name to see details, then click on Configuration tab.
  5. Under Configuration Details section, In Storage pane search for the Encryption Enabled Status.

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.

  2. In the left navigation panel, click on Databases.

  3. Select the Database instance that needs to be encrypted.

  4. Click on Actions button placed at the top right and select Take Snapshot.

  5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the Snapshot Name field and click on Take Snapshot.

  6. Select the newly created snapshot and click on the Action button placed at the top right and select Copy snapshot from the Action menu.

  7. On the Make Copy of DB Snapshot page, perform the following:

    • In the New DB Snapshot Identifier field, Enter a name for the new snapshot.
    • Check Copy Tags, New snapshot must have the same tags as the source snapshot.
    • Select Yes from the Enable Encryption dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52c appropriate encryption, cleansing and auditing of devices;99no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.3] RDS DB instances should have encryption at-rest enabled11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 2.3.1 Ensure that encryption is enabled for RDS Instances11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 2.3.1 Ensure that encryption is enabled for RDS Instances - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 2.3.1 Ensure that encryption-at-rest is enabled for RDS Instances - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 2.3.1 Ensure that encryption-at-rest is enabled for RDS Instances - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 2.2.1 Ensure that encryption-at-rest is enabled for RDS instances (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 2.2.1 Ensure that encryption-at-rest is enabled for RDS instances (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 2.2.1 Ensure that encryption-at-rest is enabled for RDS instances (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 3.2.1 Ensure that encryption-at-rest is enabled for RDS instances (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption44no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2526no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)6no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)6no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1624no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1724no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)514no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 32 Security of processing55no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1819no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.33 Protection of records1015no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1530no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-28 PROTECTION OF INFORMATION AT REST233no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3032no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks25no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management6no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration6no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection413no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31625no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1014no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection12no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.712no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.13no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.813no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-10 Uses Encryption to Protect Data611no data