🛡️ AWS RDS Instance Encryption is not enabled🟢

• Contextual name: 🛡️ Instance Encryption is not enabled🟢
• ID: /ce/ca/aws/rds/instance-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Instance
  • 🔌 AWS RDS Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: RDS Encryption Enabled
• Internal: dec-x-6ba5ecd2

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-6ba5ecd2	1

Description

Open File

Description

Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles access authentication and data decryption transparently with minimal impact on performance.

Rationale

Databases often hold sensitive and critical data, so it is highly recommended to implement encryption to protect your data from unauthorized access or disclosure. With RDS encryption enabled, data stored on the instance's underlying storage, automated backups, read replicas, and snapshots are all encrypted.

Audit

From Console

1. Log in to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.
2. In the navigation pane, click Databases.
3. Select the RDS instance that you want to examine.
4. Click the instance name to see details, then click the Configuration tab.
5. Under the Configuration Details section, in the Storage pane, find the Encryption Enabled status.

... see more

Remediation

Open File

Remediation

From Console

1. Log in to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.

2. In the left navigation panel, click Databases.

3. Select the database instance that needs to be encrypted.

4. Click the Actions button at the top right and select Take Snapshot.

5. On the Take Snapshot page, enter a name for the snapshot in the Snapshot Name field and click Take Snapshot.

6. Select the newly created snapshot, click the Actions button at the top right, and select Copy snapshot from the menu.

7. On the Make Copy of DB Snapshot page, perform the following:

   • In the New DB Snapshot Identifier field, enter a name for the new snapshot.
   • Check Copy Tags. The new snapshot must have the same tags as the source snapshot.
   • Select Yes from the Enable Encryption dropdown list to enable encryption. You can choose the AWS default encryption key or a custom key from the Master Key dropdown list.

8. Click Copy Snapshot to create an encrypted copy of the selected instance snapshot.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 52c appropriate encryption, cleansing and auditing of devices;		10	10		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.3] RDS DB instances should have encryption at-rest enabled		1	1		no data
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			20		no data
💼 CIS AWS v1.4.0 → 💼 2.3.1 Ensure that encryption is enabled for RDS Instances		1	1		no data
💼 CIS AWS v1.5.0 → 💼 2.3.1 Ensure that encryption is enabled for RDS Instances - Level 1 (Automated)		1	1		no data
💼 CIS AWS v2.0.0 → 💼 2.3.1 Ensure that encryption-at-rest is enabled for RDS Instances - Level 1 (Automated)		1	1		no data
💼 CIS AWS v3.0.0 → 💼 2.3.1 Ensure that encryption-at-rest is enabled for RDS Instances - Level 1 (Automated)		1	1		no data
💼 CIS AWS v4.0.0 → 💼 2.2.1 Ensure that encryption-at-rest is enabled for RDS instances (Automated)			1		no data
💼 CIS AWS v4.0.1 → 💼 2.2.1 Ensure that encryption-at-rest is enabled for RDS instances (Automated)			1		no data
💼 CIS AWS v5.0.0 → 💼 2.2.1 Ensure that encryption-at-rest is enabled for RDS instances (Automated)			1		no data
💼 CIS AWS v6.0.0 → 💼 3.2.1 Ensure that encryption-at-rest is enabled for RDS instances (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			70		no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		26	27		no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			17		no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			18		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43		no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	36		no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	25		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 GDPR → 💼 Art. 25 Data protection by design and by default		10	10		no data
💼 GDPR → 💼 Art. 32 Security of processing		5	5		no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.1 Policy on the use of cryptographic controls		18	19		no data
💼 ISO/IEC 27001:2022 → 💼 5.33 Protection of records		10	15		no data
💼 NIST CSF v1.1 → 💼 PR.DS-1: Data-at-rest is protected		15	30		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-28 PROTECTION OF INFORMATION AT REST	2	3	3		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		31	33		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	25		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			27		no data
💼 PCI DSS v3.2.1 → 💼 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.		7	12		no data
💼 PCI DSS v4.0.1 → 💼 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.			13		no data
💼 PCI DSS v4.0.1 → 💼 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.			12		no data
💼 PCI DSS v4.0 → 💼 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.		8	13		no data
💼 PCI DSS v4.0 → 💼 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.			12		no data
💼 SOC 2 → 💼 CC6.1-10 Uses Encryption to Protect Data		6	11		no data