🛡️ AWS RDS Snapshot is not encrypted🟢

• Contextual name: 🛡️ Snapshot is not encrypted🟢
• ID: /ce/ca/aws/rds/snapshot-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Snapshot
  • 🔌 AWS RDS Snapshot - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
• AWS Security Hub: [Neptune.6] Neptune DB cluster snapshots should be encrypted at rest

Description

Open File

Description

This policy identifies AWS RDS cluster and database Snapshots that are not encrypted.

Rationale

RDS snapshots contain full backups of databases, including potentially sensitive data. If an unencrypted snapshot is inadvertently shared or if its underlying storage is compromised, the data may be exposed to unauthorized access. Enforcing encryption helps ensure that backup data remains protected, maintaining the confidentiality and integrity of stored information.

Audit

This policy marks an AWS RDS Snapshot as INCOMPLIANT if the snapshot's Encrypted checkbox is set to false.

The Snapshot is marked as INAPPLICABLE if its Status is not available.

Remediation

Open File

Remediation

Encrypt a Snapshot

To encrypt an unencrypted AWS RDS snapshot, create an encrypted copy of the existing snapshot using a KMS key, then remove the original unencrypted version.

From Command Line

1. Create an encrypted copy of the snapshot:

   aws rds copy-db-snapshot \
       --source-db-snapshot-identifier {{source-snapshot-id}} \
       --target-db-snapshot-identifier {{new-snapshot-id}} \
       --kms-key-id {{kms-key-id}} \
       --copy-option-group \
       --copy-tags \
       --region {{region}}
        

2. Delete the original unencrypted snapshot (optional):

   Once you have confirmed that the encrypted snapshot is available, delete the original unencrypted snapshot.

   aws rds delete-db-snapshot \
       --db-snapshot-identifier {{source-snapshot-id}} \
       --region {{region}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.6] Neptune DB cluster snapshots should be encrypted at rest			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest			1		no data
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			20		no data
💼 Cloudaware Framework → 💼 Data Encryption			70		no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			17		no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			18		no data
💼 FedRAMP High Security Controls → 💼 SC-7(18) Fail Secure (M)(H)			1		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43		no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	36		no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	25		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(18) Fail Secure (M)(H)			1		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(18) Boundary Protection _ Fail Secure			1		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	25		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			27		no data