Ensure that your Amazon Relational Database Service (RDS) snapshots are encrypted in order to achieve compliance for data-at-rest encryption within your organization. The RDS snapshot encryption and decryption process is handled transparently and does not require any additional action from you or your application. The keys used for AWS RDS database snapshot encryption can be entirely managed and protected by the Amazon Web Services key management infrastructure or fully managed by the AWS customer through Customer Master Keys (CMKs).
This rule can help you with the following compliance standards:
- APRA
- MAS
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When working with production databases that hold sensitive and critical data, it is strongly recommended to implement encryption at rest to protect your data from attackers or unauthorized personnel.
Audit
To determine if there are any unencrypted RDS database snapshots available in your AWS account, perform the following actions:
Remediation / Resolution
To encrypt existing Amazon RDS database snapshots available within your AWS account, perform the following actions:
References
- AWS Documentation
- Encrypting Amazon RDS Resources
- Copying a Snapshot
- Sharing a DB Snapshot
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-db-snapshots
- copy-db-snapshot
- delete-db-snapshot
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Enable RDS Snapshot Encryption
Risk level: Medium