When enabling Performance Insights on an RDS cluster or RDS DB Instance, and encryption key should be provided.
The encryption key specified in performance_insights_kms_key_id
references a KMS ARN
Impact
Data can be read from the RDS Performance Insights if it is compromised
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enable encryption for RDS clusters and instances
1
2
3
4
5
6
7
8
9
10
11
|
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
AWSTemplateFormatVersion: 2010-09-09
Description: Good example
Resources:
Queue:
Type: AWS::RDS::DBInstance
Properties:
EnablePerformanceInsights: true
PerformanceInsightsKMSKeyId: "something"
|
Enable encryption for RDS clusters and instances
1
2
3
4
5
|
resource "aws_rds_cluster_instance" "good_example" {
name = "bar"
performance_insights_enabled = true
performance_insights_kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
|
Links