RDS instance is not using encrypted storage Affecting RDS service in AWS

Snyk CCSS

Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-AWS CIS-Controls CSA-CCM GDPR HIPAA ISO-27001 NIST-800-53 SOC-2

Snyk ID SNYK-CC-00002
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Encrypting your DB instance data at rest provides an extra layer of protection against unauthorized access. You can supply your own customer managed KMS key to use for encryption, or RDS can use an AWS managed key which is created automatically. RDS instances can only be encrypted at the time of creation.

How to fix?

Set the aws_db_instance storage_encrypted field to true.

If encrypting with a customer managed KMS key, kms_key_id should be set to the KMS key ARN.

The storage_encrypted setting can only be enabled at the time the instance is created. If you have an existing instance that is not encrypted, you will need to recreate it from scratch or from an encrypted copy of an instance snapshot.

Example Configuration

resource "aws_db_instance" "default" {
  storage_encrypted = true
  # other required fields here
}

Terraform

Resource: aws_db_instance

References

Encrypting Amazon RDS resources