There is no encryption specified or encryption is disabled on the RDS Cluster.
Encryption should be enabled for an RDS Aurora cluster.
When enabling encryption by setting the kms_key_id, the storage_encrypted must also be set to true.
Impact
Data can be read from the RDS cluster if it is compromised
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enable encryption for RDS clusters
1
2
3
4
5
6
7
8
9
10
|
AWSTemplateFormatVersion: 2010-09-09
Description: Good example of rds sgr
Resources:
Cluster:
Type: AWS::RDS::DBCluster
Properties:
StorageEncrypted: true
KmsKeyId: "something"
|
Enable encryption for RDS clusters
1
2
3
4
5
|
resource "aws_rds_cluster" "good_example" {
name = "bar"
kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
storage_encrypted = true
}
|
Links