Triage AWS RDS DB Instances should use encrypted storage ENCRYPTION_NOT_ENABLED
Quick Links
- Configure AWS RDS DB Instances should use encrypted storage
- Use Case for AWS RDS DB Instances should use encrypted storage
- Triage Guides by Violation Type
In general, simply updating the storage encryption for RDS via IaC (e.g. CloudFormation, Terraform) will cause your data to be deleted. This setting is difficult to change and requires a database migration.
There are a number of approaches, but the general process to enable encryption is outlined here: create a Snapshot from your RDS Instance, create an encrypted copy of that Snapshot, then create a new instance from the encrypted Snapshot. This will cause downtime unless you use AWS Database Migration Service (DMS). A more detailed guide of the process is captured in Encrypt an existing Amazon RDS for PostgreSQL DB instance.
Why should I care about fixing this issue?
To understand how to evaluate the correct database encryption policy for your use-case, read our use-case page.
What is the data source for this policy?
This policy relies on a call to rds:DescribeDbInstances
. If the response does not contain the property StorageEncrypted
or is false, then a violation is opened by the policy.
Does this policy scan on a schedule? If so, when?
No, it's triggered when changes to matching resources are detected.
How do I set a retention policy using AWS Console?
The process is documented in this guide, Encrypt an existing Amazon RDS for PostgreSQL DB instance
How do I set a retention policy using CloudFormation?
Note that the field is not required and the default value is false. Updating this property requires Replacement, which means your old instance, along with its data will be deleted. A new, empty encrypted instance will be created. You probably do not want to do this.
Type: AWS::RDS::DBInstance
Properties:
+ StorageEncrypted: true
How do I set a retention policy using Terraform?
Note that the field is not required, may not be present, and the default value is false. Changing this field to true will result in a forced replacement, which means your old instance, along with its data will be deleted. A new, empty encrypted instance will be created. You probably do not want to do this.
resource "aws_db_instance" "example" {
- storage_encrypted = false
+ storage_encrypted = true
}
How do I set a retention policy using AWS CLI?
This is multiple api calls.
aws rds create-db-snapshot
aws rds delete-db-instance
aws rds copy-db-snapshot
aws rds restore-db-instance-from-db-snapshot
For more detailed instructions, see Encrypt an existing Amazon RDS for PostgreSQL DB instance.
When is it appropriate to mark this violation as "by design"?
To understand how to evaluate the correct log retention for your use-case, read our use-case page.