Logo of Trend Micro

Enable Transparent Data Encryption with Customer Managed Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-RDS-010

Ensure that Transparent Data Encryption (TDE) is using custom keys instead of automatically generated keys for the TDE protector. TDE with custom keys (also known as Customer Managed Keys) enables you to have full control over the encryption and decryption process and meet strict compliance requirements.

Security

Transparent Data Encryption (TDE) with Customer Managed Keys (CMKs) allows user access control over TDE protector keys, i.e. decide who can access the TDE encryption keys and when. Customer Managed Keys (CMKs) are managed by Alibaba Cloud Key Management Service (KMS). KMS is a highly secure and scalable key management service that allows you to easily encrypt, store, and manage your cryptographic keys. It helps you protect your sensitive data from unauthorized access and theft.

This Knowledge Base (KB) article uses PostgreSQL as an example to show how to verify and enable Transparent Data Encryption (TDE) with Customer Managed Keys for RDS database instances. In Alibaba Cloud RDS, TDE with CMKs is also supported by MySQL and SQL Server instances.

Audit

To determine if Transparent Data Encryption (TDE) with Customer Managed Keys (CMKs) is enabled for your RDS database instances, perform the following operations:

If TDE is not available on the Data Security page, Transparent Data Encryption (TDE) is not supported by the selected RDS database instance. Check the Prerequisites section for the list of supported RDS databases.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Click on the ID (link) of the SQL database instance that you want to examine, listed in the Instance ID/Name column.

05 In the RDS resource navigation panel, choose Data Security to access the data security configuration information available for the selected database instance.

06 Select the TDE tab and check the TDE Status setting from the TDE Settings section. If the TDE Status setting is set to Disabled (You cannot disable this feature after it is enabled), the Transparent Data Encryption (TDE) feature is not enabled for the selected RDS instance. You can follow the steps outlined on this page to enable the feature. If TDE Status is set to Enabled (You cannot disable this feature after it is enabled), check the Key Type attribute value. If Key Type is set to System Key, Transparent Data Encryption (TDE) uses an auto-generated key (default key) instead of a Customer Managed Key (CMK) to encrypt the selected RDS database instance.

07 Repeat steps no. 4 – 6 for each database instance provisioned in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run DescribeDBInstances command (OSX/Linux/UNIX) with custom output filters to list the ID of each RDS database instance available within your Alibaba Cloud account: 

aliyun rds DescribeDBInstances
  --output cols=Items.DBInstance[].DBInstanceId

02 The command output should return a list with the requested database instance identifiers: 

Items.DBInstance[].DBInstanceId
-------------------------------
[pgm-abcd1234abcd1234]
[pgm-1234abcd1234abcd]

03 Run DescribeDBInstanceTDE command (OSX/Linux/UNIX) with the name of the RDS database instance that you want to examine as the identifier parameter, to describe the Transparent Data Encryption (TDE) feature information available for the selected RDS instance: 

aliyun rds DescribeDBInstanceTDE
  --DBInstanceId pgm-abcd1234abcd1234

04 The command output should return the requested TDE configuration information: 

{
	"TDEStatus": "Enabled",
	"TDEMode": "Aliyun_Generated_Key",
	"Databases": {
		"Database": []
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

If the "TDEStatus" attribute value is set to Disabled, the Transparent Data Encryption (TDE) feature is not enabled for the selected RDS instance. You can follow the steps outlined on this page to enable the feature. If "TDEStatus" is set to Enabled, check the "TDEMode" attribute value. If "TDEMode" is set to Aliyun_Generated_Key, as shown in the example above, Transparent Data Encryption (TDE) uses an auto-generated key (default key) instead of a Customer Managed Key (CMK) to encrypt the selected RDS database instance.

05 Repeat steps no. 3 and 4 for each database instance provisioned within your Alibaba Cloud account.

Remediation / Resolution

To enable Transparent Data Encryption (TDE) with Customer Managed Keys (CMKs) for supported Alibaba Cloud RDS database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Because you cannot change the TDE protector key after you enable Transparent Data Encryption (TDE) for your database instance, you must re-create the instance. Choose Create Instance and follow the setup wizard to provision your new RDS database instance.

05 Click on the ID (link) of the newly created SQL database instance, listed in the Instance ID/Name column.

06 In the RDS resource navigation panel, choose Data Security to access the data security configuration information available for the selected database instance.

07 Select the TDE tab and turn on the TDE Status configuration setting to enable Transparent Data Encryption (TDE) with Customer Managed Keys (CMKs). In the TDE Settings configuration box, select Use Existing Custom Key, choose your own KMS Customer Managed Key (CMK), and select OK for confirmation. If Use Existing Custom Key option is not active, choose To use a different custom key, click here to authorize, and select Authorize to enable ApsaraDB RDS to access your KMS resources. On the Cloud Resource Access Authorization confirmation page, choose Confirm Authorization Policy.

08 Repeat steps no. 4 – 7 for each database instance provisioned in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ModifyDBInstanceTDE command (OSX/Linux/UNIX) to enable the Transparent Data Encryption (TDE) with Customer Managed Keys (CMKs) for the selected RDS database instance. Use the --EncryptionKey command parameter to specify the ID of your own KMS Customer Managed Key (CMK): 

aliyun rds ModifyDBInstanceTDE
  --DBInstanceId pgm-abcd1234abcd1234
  --TDEStatus Enabled
  --EncryptionKey abcd1234-abcd-1234-abcd-1234abcd1234

02 If successful, the output should return the command request ID: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 Repeat steps no. 1 and 2 for each RDS database instance available within your Alibaba Cloud account.

References

Publication date Feb 27, 2024

Related AlibabaCloud-RDS rules