HIGH
Source
Trivy
ID
AVD-AWS-0079

There is no encryption specified or encryption is disabled on the RDS Cluster.

Encryption should be enabled for an RDS Aurora cluster.

When enabling encryption by setting the kms_key_id, the storage_encrypted must also be set to true.

Impact

Data can be read from the RDS cluster if it is compromised

Follow the appropriate remediation steps below to resolve the issue.

Enable encryption for RDS clusters

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
AWSTemplateFormatVersion: 2010-09-09
Description: Good example of rds sgr
Resources:
  Cluster:
    Type: AWS::RDS::DBCluster
    Properties:
      StorageEncrypted: true
      KmsKeyId: "something"
  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for RDS. Step
  3. Scroll down the left navigation panel and choose “Databases”. Step
  4. Select the “Database” that needs to be verified and click on the selected “Databse” from the “DB identifier” column to access the database.Step
  5. Click on the “Configuration” under the selected database configuration page.Step
  6. Scroll down the “Configuration” tab and check the “Storage” section.Check the “Encryption” and if it’s “Not Enabled” then encryption is not setup for selected RDS instance.Step
  7. Repeat steps number 2 - 6 to check other RDS instances.
  8. Select the “Database” on which “Encryption” needs to be enabled.Step
  9. Click on the “Actions” button at the top panel and click on “Take snapshot”. Step
  10. On “Take DB Snapshot” page provide a “Snapshot name” which will act as an identifier for the “DB Snapshot” and click on “Take Snapshot” button.Step
  11. Select the new created “Snapshot” and click on the “Actions” button at the top menu and click on the “Copy Snapshot” option.Step
  12. Under the “Make Copy of DB Snapshot?” configuration page select the “Destination Region” and provide the “New DB Snapshot Identifier” for the new snapshot. Step
  13. Scroll down the “Make Copy of DB Snapshot?” configuration page and click on “Enable encryption” under Encryption section. Select the “Master key” from dropdown menu and click on the “Copy Snapshot” button.Step
  14. Select the new created “Snapshot” and click on the “Actions” button at the top menu and click on the “Restore Snapshot” option.Step
  15. On “Restore DB Instance” configuration page review all the configuration settings and provide a unique name to the “DB Instance” under “DB Instance Identifier”.Step
  16. Scroll down and click on the “Restore DB Instance” button. Step
  17. Update the “Database Endpoint” as soon as the new instance provisioning process is completed and the databse instance is available. Step
  18. Remoev the unencrypted database instance by selecting the database and clicking on the “Actions” button at the top menu and clicking on the “Delete” button under “Delete” panel. Step

Enable encryption for RDS clusters

1
2
3
4
5
resource "aws_rds_cluster" "good_example" {
  name              = "bar"
  kms_key_id  = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
  storage_encrypted = true
}