Logo of Trend Micro

Enable Transparent Data Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-RDS-007

Ensure that Transparent Data Encryption (TDE) is enabled for the supported Alibaba Cloud RDS database instances in order to meet regulatory requirements and prevent unauthorized users from accessing sensitive information.

Security

Transparent Data Encryption (TDE) helps protect sensitive data from unauthorized access by seamlessly encrypting and decrypting database content, backups, and log files during storage operations. The data encryption and decryption process is handled transparently and does not require any additional action from you or your application.

This Knowledge Base (KB) article uses PostgreSQL as an example to show how to verify and enable Transparent Data Encryption (TDE) for RDS database instances. In Alibaba Cloud RDS, TDE is also supported by MySQL and SQL Server instances.

Audit

To determine if Transparent Data Encryption is enabled for supported RDS database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Click on the ID (link) of the SQL database instance that you want to examine, listed in the Instance ID/Name column.

05 In the RDS resource navigation panel, choose Data Security to access the data security configuration information available for the selected database instance.

06 Select the TDE tab and check the TDE Status setting from the TDE Settings section. If the TDE Status setting is set to Disabled (You cannot disable this feature after it is enabled), the Transparent Data Encryption (TDE) feature is not enabled for the selected RDS database instance. If the TDE tab is not available on the Data Security page, Transparent Data Encryption (TDE) is not supported by the selected RDS database instance. Check the Prerequisites section for the list of supported RDS databases.

07 Repeat steps no. 4 – 6 for each database instance provisioned in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run DescribeDBInstances command (OSX/Linux/UNIX) with custom output filters to list the ID of each RDS database instance available within your Alibaba Cloud account: 

aliyun rds DescribeDBInstances
  --output cols=Items.DBInstance[].DBInstanceId

02 The command output should return a list with the requested database instance identifiers: 

Items.DBInstance[].DBInstanceId
-------------------------------
[pgm-abcd1234abcd1234]
[pgm-1234abcd1234abcd]

03 Run DescribeDBInstanceTDE command (OSX/Linux/UNIX) with the name of the RDS database instance that you want to examine as the identifier parameter, to describe the Transparent Data Encryption (TDE) feature information available for the selected RDS instance: 

aliyun rds DescribeDBInstanceTDE
  --DBInstanceId pgm-abcd1234abcd1234

04 The command output should return the requested TDE configuration information: 

{
	"TDEStatus": "Disabled",
	"TDEMode": "Unknown",
	"Databases": {
		"Database": []
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

Check the "TDEStatus" attribute value to determine the encryption feature status. If the "TDEStatus" value is set to Disabled, as shown in the example above, Transparent Data Encryption (TDE) is not enabled for the selected RDS database instance.

05 Repeat steps no. 3 and 4 for each database instance provisioned within your Alibaba Cloud account.

Remediation / Resolution

To enable Transparent Data Encryption (TDE) for supported Alibaba Cloud RDS database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Click on the ID (link) of the SQL database instance that you want to examine, listed in the Instance ID/Name column.

05 In the RDS resource navigation panel, choose Data Security to access the data security configuration information available for the selected database instance.

06 Select the TDE tab and turn on the TDE Status configuration setting to enable Transparent Data Encryption (TDE) for the selected RDS database instance. In the TDE Settings configuration box, select Use Automatically Generated Key to use the default key provided by the KMS service, then choose OK for confirmation. If the TDE tab is not available on the Data Security page, Transparent Data Encryption (TDE) is not supported by the selected RDS database instance. Check the Prerequisites section for the list of supported RDS databases.

07 Repeat steps no. 4 – 6 for each database instance provisioned in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ModifyDBInstanceTDE command (OSX/Linux/UNIX) to enable the Transparent Data Encryption (TDE) feature for the selected RDS database instance. If no KMS key is specified in the command request, Transparent Data Encryption (TDE) uses an automatically generated encryption key provided by Alibaba Cloud KMS: 

aliyun rds ModifyDBInstanceTDE
  --DBInstanceId pgm-abcd1234abcd1234
  --TDEStatus Enabled

02 If successful, the output should return the command request ID: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 Repeat steps no. 1 and 2 for each RDS database instance available within your Alibaba Cloud account.

References

Publication date Feb 27, 2024

Related AlibabaCloud-RDS rules