๐ก๏ธ AWS RDS Snapshot is not encrypted๐ข
- Contextual name: ๐ก๏ธ Snapshot is not encrypted๐ข
- ID:
/ce/ca/aws/rds/snapshot-encryption - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Similar Policiesโ
- AWS Security Hub: [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
- AWS Security Hub: [Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
Descriptionโ
Descriptionโ
This policy identifies AWS RDS cluster and database Snapshots that are not encrypted.
Rationaleโ
RDS snapshots contain full backups of databases, including potentially sensitive data. If an unencrypted snapshot is inadvertently shared or if its underlying storage is compromised, the data may be exposed to unauthorized access. Enforcing encryption helps ensure that backup data remains protected, maintaining the confidentiality and integrity of stored information.
Auditโ
This policy marks an AWS RDS Snapshot as
INCOMPLIANTif the snapshot'sEncryptedcheckbox is set to false.The Snapshot is marked as INAPPLICABLE if its
Statusis not available.
Remediationโ
Remediationโ
Encrypt a Snapshotโ
To encrypt an unencrypted AWS RDS snapshot, create an encrypted copy of the existing snapshot using a KMS key, then remove the original unencrypted version.
From Command Lineโ
Create an encrypted copy of the snapshot:
aws rds copy-db-snapshot \
--source-db-snapshot-identifier {{source-snapshot-id}} \
--target-db-snapshot-identifier {{new-snapshot-id}} \
--kms-key-id {{kms-key-id}} \
--copy-option-group \
--copy-tags \
--region {{region}}
Delete the original unencrypted snapshot (optional):
Once you have confirmed that the encrypted snapshot is available, delete the original unencrypted snapshot.
aws rds delete-db-snapshot \
--db-snapshot-identifier {{source-snapshot-id}} \
--region {{region}}