Skip to main content

Triage AWS RDS DB Instances should use encrypted storage ENCRYPTION_NOT_ENABLED

  1. Configure AWS RDS DB Instances should use encrypted storage
  2. Use Case for AWS RDS DB Instances should use encrypted storage
  3. Triage Guides by Violation Type
    1. Triage AWS RDS DB Instances should use encrypted storage ENCRYPTION_NOT_ENABLED
danger

In general, simply updating the storage encryption for RDS via IaC (e.g. CloudFormation, Terraform) will cause your data to be deleted. This setting is difficult to change and requires a database migration.

There are a number of approaches, but the general process to enable encryption is outlined here: create a Snapshot from your RDS Instance, create an encrypted copy of that Snapshot, then create a new instance from the encrypted Snapshot. This will cause downtime unless you use AWS Database Migration Service (DMS). A more detailed guide of the process is captured in Encrypt an existing Amazon RDS for PostgreSQL DB instance.

Why should I care about fixing this issue?

To understand how to evaluate the correct database encryption policy for your use-case, read our use-case page.

What is the data source for this policy?

This policy relies on a call to rds:DescribeDbInstances. If the response does not contain the property StorageEncrypted or is false, then a violation is opened by the policy.

Does this policy scan on a schedule? If so, when?

No, it's triggered when changes to matching resources are detected.

How do I set a retention policy using AWS Console?

The process is documented in this guide, Encrypt an existing Amazon RDS for PostgreSQL DB instance

How do I set a retention policy using CloudFormation?

AWS::RDS::DBInstance

Note that the field is not required and the default value is false. Updating this property requires Replacement, which means your old instance, along with its data will be deleted. A new, empty encrypted instance will be created. You probably do not want to do this.

 Type: AWS::RDS::DBInstance
 Properties: 
+   StorageEncrypted: true

How do I set a retention policy using Terraform?

aws_db_instance

Note that the field is not required, may not be present, and the default value is false. Changing this field to true will result in a forced replacement, which means your old instance, along with its data will be deleted. A new, empty encrypted instance will be created. You probably do not want to do this.

 resource "aws_db_instance" "example" {
-  storage_encrypted  = false
+  storage_encrypted  = true
 }

How do I set a retention policy using AWS CLI?

This is multiple api calls.

  1. aws rds create-db-snapshot
  2. aws rds delete-db-instance
  3. aws rds copy-db-snapshot
  4. aws rds restore-db-instance-from-db-snapshot

For more detailed instructions, see Encrypt an existing Amazon RDS for PostgreSQL DB instance.

When is it appropriate to mark this violation as "by design"?

To understand how to evaluate the correct log retention for your use-case, read our use-case page.