Logo of Trend Micro

Enable RDS Snapshot Encryption

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: RDS-040

Ensure that your Amazon Relational Database Service (RDS) snapshots are encrypted in order to achieve compliance for data-at-rest encryption within your organization. The RDS snapshot encryption and decryption process is handled transparently and does not require any additional action from you or your application. The keys used for AWS RDS database snapshot encryption can be entirely managed and protected by the Amazon Web Services key management infrastructure or fully managed by the AWS customer through Customer Master Keys (CMKs).

This rule can help you with the following compliance standards:

  • APRA
  • MAS

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When working with production databases that hold sensitive and critical data, it is strongly recommended to implement encryption at rest to protect your data from attackers or unauthorized personnel.

Audit

To determine if there are any unencrypted RDS database snapshots available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Snapshots.

04 Select a snapshot tab from the snapshot category tabs to list all related RDS snapshots owned by your AWS account.

05 Click on the Preferences button from the top-right menu, enable Encrypted as additional column to display, then click Continue to save the changes.

06 Choose the RDS snapshot that you want to examine and check the configuration value available in the Encrypted column. If the Encrypted configuration value is set to No, the selected Amazon RDS database snapshot is not encrypted at rest.

07 Repeat step no. 6 to identify any other unencrypted AWS RDS snapshots available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-db-snapshots command (OSX/Linux/UNIX) using custom query filters to list the identifiers of all the RDS snapshots owned by your AWS account, available in the selected region: 

        aws rds describe-db-snapshots
        --region us-east-1
        --query 'DBSnapshots[*].DBSnapshotIdentifier'

02 The command output should return the requested RDS database snapshot identifiers (IDs): 

        [

        "cc-web-production-database-july-2019",
        "cc-web-production-database-august-2019",

        ...

        "cc-web-production-database-november-2019",
        "cc-web-production-database-december-2019"

        ]

03 Execute again describe-db-snapshots command (OSX/Linux/UNIX) using the ID of the RDS snapshot that you want to examine as identifier parameter and custom query filters to check whether the selected database snapshot is encrypted or not: 

        aws rds describe-db-snapshots
        --region us-east-1
        --db-snapshot-identifier cc-web-production-database-july-2019
        --query 'DBSnapshots[*].Encrypted'

04 The command output should return the RDS snapshot encryption status (true for encrypted and false for unencrypted): 

        [
        false
        ]

If the value returned by the describe-db-snapshots command output is false (as shown in the example above), the selected Amazon RDS database snapshot is not encrypted at rest.

05 Repeat step no. 3 and 4 to find other unencrypted AWS RDS database snapshots, created in the selected region.

06 Repeat steps no. 1 – 5 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

To encrypt existing Amazon RDS database snapshots available within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Snapshots.

04 Select a snapshot tab from the snapshot category tabs to list all related RDS snapshots owned by your AWS account.

05 Select the unencrypted RDS snapshot that you want to encrypt (see Audit section part I to identify the right resource).

06 Click the Actions dropdown button from the dashboard top menu and select Copy Snapshot.

07 On the Copy Snapshot page, perform the following commands:

  1. From the Destination Region dropdown list, select the region where you want to write the copy of the selected snapshot.
  2. In the New DB Snapshot Identifier box, type a unique name/identifier for the new RDS snapshot (copy).
  3. (Optional) From Target Option Group dropdown list, select an option group to associate with your target database snapshot.
  4. (Optional) Select Copy Tags checkbox if you want your new snapshot to have the same tags as the source snapshot.
  5. In the Encryption section, select Enable encryption to turn on encryption at rest for the new RDS snapshot. Select (default) aws/rds from the Master Key dropdown list to use the default master key (also known as AWS Managed Key), a predefined key that protects your RDS database snapshot when no other key is defined for this purpose.
  6. Click Copy Snapshot to confirm the action. The process will take a couple of minutes to complete. Once created, you should see the encrypted RDS snapshot (copy) with the Status set to available, listed on the Snapshots page.

08 Now that your Amazon RDS database snapshot is encrypted, you can safely delete the source (unencrypted) snapshot. To remove the required RDS snapshot from your AWS account, perform the following actions:

  1. Select the source AWS RDS snapshot that you want to delete.
  2. Click the Actions dropdown button from the dashboard top menu and select Delete Snapshot.
  3. Inside Delete <snapshot-name> Snapshot dialog box, click Delete to confirm your action.

09 Repeat steps no. 5 – 8 to encrypt other unencrypted RDS database snapshots, available in the current region.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run copy-db-snapshot command (OSX/Linux/UNIX) using the ID of the unencrypted RDS snapshot as identifier parameter (see Audit section part II to identify the right resource) to copy the selected database snapshot and encrypt its data using the default master key (i.e. AWS Managed Key). Replace <aws-region> and <aws-account-id> placeholders with your own environment details: 

        aws rds copy-db-snapshot
        --region us-east-1
        --source-db-snapshot-identifier cc-web-production-database-july-2019
        --target-db-snapshot-identifier cc-encrypted-production-database-july-2019 --kms-key-id arn:aws:kms:<aws-region>:<aws-account-id>:alias/aws/rds

02 The command output should return the metadata of the new AWS RDS snapshot: 

        {
        "DBSnapshot": {
        "LicenseModel": "general-public-license",
        "InstanceCreateTime": "2017-05-16T20:11:20.053Z",
        "Engine": "mysql",
        "VpcId": "vpc-abcdabcd",
        "SourceRegion": "us-east-1",
        "AllocatedStorage": 50,
        "Status": "creating",
        "PercentProgress": 0,
        "SourceDBSnapshotIdentifier": "arn:aws:rds:us-west-2:123456789012:snapshot:cc-web-production-database-july-2019",
        "DBSnapshotIdentifier": "cc-encrypted-production-database-july-2019",
        "DBSnapshotArn": "arn:aws:rds:us-west-2:123456789012:snapshot:cc-encrypted-production-database-july-2019",
        "EngineVersion": "5.6.40",
        "ProcessorFeatures": [],
        "OptionGroupName": "default:mysql-5-6",
        "AvailabilityZone": "us-east-1a",
        "StorageType": "gp2",
        "Encrypted": true,
        "IAMDatabaseAuthenticationEnabled": false,
        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd",
        "SnapshotType": "manual",
        "Port": 3306,
        "DBInstanceIdentifier": "cc-web-production-database"
        }
        }

03 Now that your RDS database snapshot is encrypted, it is safe to delete the source snapshot. Run delete-db-snapshot command (OSX/Linux/UNIX) using the ID of the unencrypted snapshot as identifier command parameter, to remove specified RDS database snapshot from your AWS account: 

        aws rds delete-db-snapshot
        --region us-east-1
        --db-snapshot-identifier cc-web-production-database-july-2019

04 The command output should return the delete-db-snapshot command request metadata: 

        {
        "DBSnapshot": {
        "LicenseModel": "general-public-license",
        "InstanceCreateTime": "2017-05-16T11:25:20.053Z",
        "Engine": "mysql",
        "VpcId": "vpc-abcdabcd",
        "SourceRegion": "us-east-1",
        "AllocatedStorage": 50,
        "Status": "deleted",
        "PercentProgress": 100,
        "SourceDBSnapshotIdentifier": "arn:aws:rds:us-east-1:123456789012:snapshot:cc-web-production-database",
        "DBSnapshotIdentifier": "cc-web-production-database-july-2019",
        "DBSnapshotArn": "arn:aws:rds:us-east-1:123456789012:snapshot:cc-web-production-database-july-2019",
        "EngineVersion": "5.6.40",
        "ProcessorFeatures": [],
        "OptionGroupName": "default:mysql-5-6",
        "SnapshotCreateTime": "2019-11-29T13:28:04.806Z",
        "AvailabilityZone": "us-east-1a",
        "StorageType": "gp2",
        "Encrypted": true,
        "IAMDatabaseAuthenticationEnabled": false,
        "SnapshotType": "manual",
        "Port": 3306,
        "DBInstanceIdentifier": "cc-web-production-database"
        }
        }

05 Repeat steps no. 1 – 4 to encrypt other unencrypted RDS database snapshots, available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 for other regions.

References

Publication date Jan 9, 2018

Related RDS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable RDS Snapshot Encryption

Risk level: Medium