Vulnerabilities
Misconfiguration
Compliance
AWS > Rds >

Performance Insights Encryption Customer Key

LOW
Source
Trivy
ID
AVD-AWS-0078
cloudformation terraform

Performance Insights encryption should use Customer Managed Keys

Amazon RDS uses the AWS managed key for your new DB instance. For complete control over KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, and rotating their cryptographic material, use a customer managed keys. The encryption key specified in performance_insights_kms_key_id references a KMS ARN

Impact

Follow the appropriate remediation steps below to resolve the issue.

Use Customer Managed Keys to encrypt Performance Insights data

1
2
3
4
5
6

Resources:
  GoodExample:
    Type: AWS::RDS::DBInstance
    Properties:
      EnablePerformanceInsights: true
      PerformanceInsightsKMSKeyId: something

Use Customer Managed Keys to encrypt Performance Insights data

1
2
3
4
5

resource "aws_rds_cluster_instance" "good_example" {
  name                            = "bar"
  performance_insights_enabled    = true
  performance_insights_kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}

1
2
3
4

resource "aws_rds_cluster_instance" "good_example" {
  name                         = "bar"
  performance_insights_enabled = false
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use