Other Articles
- EC2 Volume – Enable EBS Encryption
- EC2 Volume – Enable EBS Volume Backup
- EFS – Enable EFS Storage Backup
- EC2 Instance – Enable Deletion Protection
- EC2 Instance – Monitor CPU Utilization
- ECS Service – Monitor CPU Utilization
- ECS Service – Monitor Memory Utilization
- EC2 VPC – Ensure Flow Logs are Enabled
- S3 Bucket – Block S3 Bucket Public Access
- S3 Bucket – Enable S3 Bucket Versioning
- S3 Bucket – Enable S3 Bucket Encryption
- RDS DB Instance – Enable Auto Minor Version Upgrade
- RDS DB Instance – Block Public Access
- RDS DB Instance – Monitor Free Storage Space
- RDS DB Instance – Monitor CPU Utilization
- RDS DB Instance – Enable Deletion Protection
- SQS Queue – Monitor Message Age
- SQS Queue – Monitor Message Visibility
- DynamoDB Table – Enable Table Encryption
- DynamoDB Table – Enable Table Point In Time Recovery
- DynamoDB Table – Enable Table Deletion Protection
- DynamoDB Table – Monitor Table Read Capacity
- DynamoDB Table – Monitor Table Write Capacity
- DynamoDB Table – Monitor Table Latency
- Enable User MFA
- Enforce Key Rotation
- Enforce Active Key Limit
- Disable Unused User Credentials
- Enforce Group Permission
- Enable CloudTrail
- Enable AWS Security Hub
- Enforce Password Length
- Prohibit Password Reuse
- Purge Expired Certificates
- Check Root Access Keys Existence
- Enable Root MFA
- Establish Support Role
- Enable Key Rotation
- Encrypt CloudTrail Logs
- Enable GuardDuty
RDS DB Instance – Encryption of Storage
This check ensures that encryption is enabled for Amazon RDS DB instance storage. Encrypting RDS storage protects sensitive data at rest and helps meet security and compliance requirements.
Check Details
- Resource: RDS DB Instance
- Check: Enable encryption of RDS instance storage
- Risk: Unencrypted database storage may expose sensitive data
Remediation via AWS Console
-
Log in to the AWS Management Console and open the
Amazon RDS console.
- In the left navigation panel, click Databases and select the affected RDS DB instance.
-
Choose Actions → Take snapshot.
Provide a snapshot name and create the snapshot.
- Once the snapshot is available, open the Snapshots section, select the snapshot, and choose Actions → Copy snapshot.
-
Enable Encryption and select a KMS key.
-
Select the encrypted snapshot and choose Restore snapshot.
- Create a new RDS DB instance from the encrypted snapshot.
- Update application connections to point to the new encrypted DB instance.
Remediation via AWS CLI
-
Log in to the AWS Management Console and click the
CloudShell icon (
>_) in the top-right corner.
-
Create a snapshot of the unencrypted DB instance:
aws rds create-db-snapshot \ --db-instance-identifier <db-instance-id> \ --db-snapshot-identifier <snapshot-id> -
Copy and encrypt the snapshot:
aws rds copy-db-snapshot \ --source-db-snapshot-identifier <snapshot-arn> \ --target-db-snapshot-identifier <encrypted-snapshot-id> \ --kms-key-id <kms-key-id> -
Restore a new encrypted DB instance from the snapshot:
aws rds restore-db-instance-from-db-snapshot \ --db-instance-identifier <new-db-instance-id> \ --db-snapshot-identifier <encrypted-snapshot-id>
After restoration, update the application configuration to use the new encrypted RDS DB instance endpoint.