lacework-global-52
2.3.1 Enable encryption for Relational Database Service (RDS) Instances (Automated)
Profile Applicability
• Level 1
Description
Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After encrypting your data, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.
Rationale
Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure. With RDS encryption enabled, the data stored on the instance's underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.
Audit
From Console
- Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/
- In the navigation pane, under RDS dashboard, click
Databases
. - Select the RDS Instance that you want to examine
- Click
Instance Name
to see details, then click onConfiguration
tab. - Under Configuration Details section, In Storage pane search for the
Encryption Enabled
Status. - If the current status is set to
Disabled
, Encryption is not enabled for the selected RDS Instance database instance. - Repeat steps 3 to 7 to verify encryption status of other RDS Instance in same region.
- Change region from the top of the navigation bar and repeat audit for other regions.
From Command Line
- Run
describe-db-instances
command to list all RDS Instance database names, available in the selected AWS region, Output will return each Instance database identifier-name.
aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'
- Run again
describe-db-instances
command using the RDS Instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption statusTrue
OrFalse
.
aws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name> --query 'DBInstances[*].StorageEncrypted'
- If the StorageEncrypted parameter value is
False
, Encryption is not enabled for the selected RDS database instance. - Repeat steps 1 to 3 for auditing each RDS Instance and change Region to verify for other regions
Remediation
From Console
- Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.
- In the left navigation panel, click
Databases
. - Select the Database instance to encrypt.
- Click
Actions
button placed at the top right and selectTake Snapshot
. - On the Take Snapshot page, enter a database name of which you want to take a snapshot in the
Snapshot Name
field and clickTake Snapshot
. - Select the newly created snapshot and click the
Action
button placed at the top right and selectCopy snapshot
from the Action menu. - On the Make Copy of DB Snapshot page, perform the following:
- In the New DB Snapshot Identifier field, Enter a name for the
new snapshot
. - Check
Copy Tags
, New snapshot must have the same tags as the source snapshot. - Select
Yes
from theEnable Encryption
dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.
- Click
Copy Snapshot
to create an encrypted copy of the selected instance snapshot. - Select the new Snapshot Encrypted Copy and click the
Action
button placed at the top right and selectRestore Snapshot
button from the Action menu, this restores the encrypted snapshot to a new database instance. - On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field.
- Review the instance configuration details and click
Restore DB Instance
. - After completion of the new instance provisioning process, you can update application configuration to refer to the endpoint of the new Encrypted database instance. After changing the database endpoint at the application level, can remove the unencrypted instance.
From Command Line
- Run
describe-db-instances
command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier.
aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'
- Run
create-db-snapshot
command to create a snapshot for the selected database instance, The command output returns thenew snapshot
with name DB Snapshot Name.
aws rds create-db-snapshot --region <region-name> --db-snapshot-identifier <DB-Snapshot-Name> --db-instance-identifier <DB-Name>
- Now run
list-aliases command
to list the Key Management Service (KMS) keys aliases available in a specified region, The command output should return eachkey alias currently available
. For the RDS encryption activation process, locate the ID of the AWS default KMS key.
aws kms list-aliases --region <region-name>
- Run
copy-db-snapshot
command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output returns theencrypted instance snapshot configuration
.
aws rds copy-db-snapshot --region <region-name> --source-db-snapshot-identifier <DB-Snapshot-Name> --target-db-snapshot-identifier <DB-Snapshot-Name-Encrypted> --copy-tags --kms-key-id <KMS-ID-For-RDS>
- Run
restore-db-instance-from-db-snapshot
command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration.
aws rds restore-db-instance-from-db-snapshot --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --db-snapshot-identifier <DB-Snapshot-Name-Encrypted>
- Run
describe-db-instances
command to list all RDS database names, available in the selected AWS region, Output returns database instance identifier name Select encrypted database name that was just created DB-Name-Encrypted.
aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'
- Run again
describe-db-instances
command using the RDS instance identifier returned earlier, to determine encryption status of the selected database instance, The command output should return the encryption statusTrue
.
aws rds describe-db-instances --region <region-name> --db-instance-identifier <DB-Name-Encrypted> --query 'DBInstances[*].StorageEncrypted'
References
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/
https://aws.amazon.com/rds/features/security/