Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable RDS Snapshot Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RDS-040

Ensure that your manual Amazon RDS database snapshots are encrypted in order to achieve compliance for data-at-rest encryption within your organization. The Amazon RDS snapshot encryption and decryption process is handled transparently and does not require any additional action from you or your application. The keys used for database snapshot encryption can be entirely managed and protected by the AWS key management infrastructure or fully managed by the AWS customer through Amazon KMS Customer Master Keys (CMKs).

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When working with production databases that hold sensitive and critical data, it is strongly recommended to implement encryption at rest and protect your data from attackers or unauthorized personnel.

Audit

To determine if there are any unencrypted Amazon RDS database snapshots available in your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Snapshots.

04 Select the Manual tab to access the manual database snapshots taken and owned by your AWS account.

05 Click on the name (link) of the database snapshot that you want to examine.

06 In the Details section, check the KMS key ID attribute value to determine the identifier of the KMS key used to encrypt the selected snapshot. If the KMS key ID attribute value is set to None, the selected Amazon RDS database snapshot is not encrypted at rest.

07 Repeat steps no. 4 – 6 for each manual Amazon RDS database snapshot available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-db-snapshots command (OSX/Linux/UNIX) with custom query filters to list the names of all the manual database snapshots owned by your AWS account, available in the selected AWS region: 

aws rds describe-db-snapshots
  --region us-east-1
  --snapshot-type manual
  --query 'DBSnapshots[*].DBSnapshotIdentifier'

02 The command output should return the requested database snapshot identifiers (names): 

[

	"cc-project5-mysql-database-feb-2021",
	"cc-project5-mysql-database-mar-2021",
	"cc-project5-mysql-database-apr-2021",
	"cc-project5-mysql-database-may-2021"

]

03 Execute describe-db-snapshots command (OSX/Linux/UNIX) using the name of the Amazon RDS snapshot that you want to examine as the identifier parameter and custom filtering to determine whether the selected database snapshot is encrypted or not: 

aws rds describe-db-snapshots
  --region us-east-1
  --db-snapshot-identifier cc-project5-mysql-database-feb-2021
  --query 'DBSnapshots[*].Encrypted'

04 The command output should return the database snapshot encryption status (true for encrypted and false for unencrypted): 

[
	false
]

If the value returned by the describe-db-snapshots command output is false, as shown in the output example above, the selected Amazon RDS database snapshot is not encrypted at rest.

05 Repeat steps no. 3 and 4 for each manual Amazon RDS database snapshot available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To encrypt existing Amazon RDS database snapshots available within your AWS account, perform the following actions:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_kms_key" "kms-key" {
	is_enabled  = true
	key_usage   = "ENCRYPT_DECRYPT"
	description = "Amazon KMS Customer Managed Key"
}

resource "aws_db_instance" "rds-database-instance" {
	allocated_storage     = 50
	engine                = "mysql"
	engine_version        = "8.0"
	instance_class        = "db.m5d.large"
	name                  = "[database-name]"
	username              = "[master-username]"
	password              = "[master-password]"
	parameter_group_name  = "default.mysql8.0"
}

resource "aws_db_snapshot" "rds-db-instance-snapshot" {
	db_instance_identifier = aws_db_instance.rds-database-instance.id
	db_snapshot_identifier = "cc-db-instance-snapshot"
	encrypted              = true
	kms_key_id             = "aws_kms_key.kms-key.arn"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Snapshots.

04 Select the Manual tab to access the manual database snapshots taken and owned by your AWS account.

05 Select the RDS database snapshot that you want to encrypt, choose Actions, and select Copy snapshot to create a new copy of the selected snapshot.

06 On the Copy snapshot setup page, perform the following operations:

  1. From the Destination Region dropdown list, select the region where you want to save the copy of the selected snapshot.
  2. In the New DB Snapshot Identifier box, type a unique name for the new database snapshot.
  3. (Optional) From Target Option Group (Optional) dropdown list, select an option group to associate with your target database snapshot.
  4. (Optional) Select the Copy Tags checkbox if you want your new database snapshot to have the same tags as the source snapshot.
  5. In the Encryptionsection, select the Enable Encryption checkbox to turn on encryption at rest for the new database snapshot. Select (default) aws/rds from the Master key dropdown list to use the AWS-managed master key (a predefined key that protects your data when no other key is created for this purpose) or choose Enter a key ARN and provide the Amazon Resource Name (ARN) of your customer-managed key in the ARN configuration box.
  6. Choose Copy snapshot to confirm the action. The process will take a couple of minutes to complete. Once created, you should see the encrypted Amazon RDS database snapshot (copy) in the Manual snapshots list.

07 (Optional) You can safely delete the source (unencrypted) database snapshot to stop incurring charges for the RDS resource. To remove the source snapshot from your AWS cloud account, perform the following actions:

  1. Select the unencrypted RDS database snapshot that you want to delete, choose Actions, and select Delete snapshot.
  2. In the Delete <snapshot-name>? confirmation box, choose Delete to confirm your action.

08 Repeat steps no. 5 – 7 for each unencrypted Amazon RDS database snapshot available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run copy-db-snapshot command (OSX/Linux/UNIX) using the name of the unencrypted RDS database snapshot as the identifier parameter, to copy the selected snapshot and encrypt its data using the default master key (i.e. AWS-managed key). Replace <aws-region> and <aws-account-id> with your own AWS cloud environment details: 

aws rds copy-db-snapshot
  --region us-east-1
  --source-db-snapshot-identifier cc-project5-mysql-database-feb-2021
  --target-db-snapshot-identifier cc-encrypted-project5-mysql-database-feb-2021
  --kms-key-id arn:aws:kms:<aws-region>:<aws-account-id>:alias/aws/rds

02 The command output should return the metadata of the new Amazon RDS database snapshot: 

{
	"DBSnapshot": {
		"MasterUsername": "ccadmin",
		"LicenseModel": "general-public-license",
		"InstanceCreateTime": "2021-05-18T15:31:20.677Z",
		"Engine": "mysql",
		"VpcId": "vpc-abcdabcd",
		"SourceRegion": "us-east-1",
		"AllocatedStorage": 50,
		"Status": "creating",
		"PercentProgress": 0,
		"SourceDBSnapshotIdentifier": "arn:aws:rds:us-east-1:123456789012:snapshot:cc-project5-mysql-database-feb-2021",
		"DBSnapshotIdentifier": "cc-encrypted-project5-mysql-database-feb-2021",
		"DBSnapshotArn": "arn:aws:rds:us-east-1:123456789012:snapshot:cc-encrypted-project5-mysql-database-feb-2021",
		"EngineVersion": "8.0.20",
		"ProcessorFeatures": [],
		"OptionGroupName": "default:mysql-8-0",
		"AvailabilityZone": "us-east-1a",
		"StorageType": "gp2",
		"Encrypted": true,
		"IAMDatabaseAuthenticationEnabled": false,
		"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd",
		"DbiResourceId": "db-ABCDABCDABCDABCDABCD",
		"SnapshotType": "manual",
		"Port": 3306,
		"DBInstanceIdentifier": "cc-project5-mysql-database"
	}
}

03 (Optional) You can choose to delete the source (unencrypted) database snapshot. Run delete-db-snapshot command (OSX/Linux/UNIX) using the name of the unencrypted database snapshot as the identifier command parameter, to remove specified snapshot from your AWS cloud account: 

aws rds delete-db-snapshot
  --region us-east-1
  --db-snapshot-identifier cc-project5-mysql-database-feb-2021

04 The command output should return the delete-db-snapshot command request metadata: 

{
	"DBSnapshot": {
		"MasterUsername": "ccadmin",
		"LicenseModel": "general-public-license",
		"InstanceCreateTime": "2021-05-18T15:31:20.677Z",
		"Engine": "mysql",
		"VpcId": "vpc-abcdabcd",
		"DBSnapshotIdentifier": "cc-project5-mysql-database-feb-2021",
		"AllocatedStorage": 20,
		"Status": "deleted",
		"PercentProgress": 100,
		"DBSnapshotArn": "arn:aws:rds:us-east-1:123456789012:snapshot:cc-project5-mysql-database-feb-2021",
		"EngineVersion": "8.0.20",
		"ProcessorFeatures": [],
		"OptionGroupName": "default:mysql-8-0",
		"SnapshotCreateTime": "2021-05-18T16:15:44.585Z",
		"AvailabilityZone": "us-east-1a",
		"StorageType": "gp2",
		"Encrypted": false,
		"IAMDatabaseAuthenticationEnabled": false,
		"DbiResourceId": "db-ABCDABCDABCDABCDABCD",
		"SnapshotType": "manual",
		"Port": 3306,
		"DBInstanceIdentifier": "cc-project5-mysql-database"
	}
}

05 Repeat steps no. 1 – 4 for each unencrypted Amazon RDS database snapshot available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jan 9, 2018

Related RDS rules