Vulnerabilities
Misconfiguration
Compliance
AWS > Rds >

Encrypt Instance Storage Data

HIGH
Source
Trivy/CSPM
CSPM ID
rds-encryption-enabled
ID
AVD-AWS-0080
cloudformation management_console terraform

RDS encryption has not been enabled at a DB Instance level.

Encryption should be enabled for an RDS Database instances. When enabling encryption by setting the kms_key_id.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Enable encryption for RDS instances

1
2
3
4
5
6

Resources:
  GoodExample:
    Type: AWS::RDS::DBInstance
    Properties:
      KmsKeyId: something
      StorageEncrypted: true

  1. Log in to the AWS Management Console.

  2. Select the “Services” option and search for RDS. Step

  3. Scroll down the left navigation panel and choose “Databases”. Step

  4. Select the “Database” that needs to be verified and click on the selected “Database” from the “DB identifier” column to access the database.Step

  5. Click on the “Configuration” under the selected database configuration page.Step

  6. Scroll down the “Configuration” tab and check the “Storage” section.Check the “Encryption” and if it’s “Not Enabled” then encryption is not setup for selected RDS instance.Step

  7. Select the “Database” on which “Encryption” needs to be enabled.Step

  8. Click on the “Actions” button at the top panel and click on “Take snapshot”. Step

  9. On “Take DB snapshot” page provide a “Snapshot name” which will act as an identifier for the “DB Snapshot” and click on “Take Snapshot” button.Step

  10. Select the new created “Snapshot” and click on the “Actions” button at the top menu and click on the “Copy Snapshot” option.Step

  11. Under the “Copy snapshot” configuration page select the “Destination Region” and provide the “New DB Snapshot Identifier” for the new snapshot. Step

  12. Scroll down the “Copy snapshot” configuration page and click on “Enable encryption” under Encryption section. Select the “AWS KMS Key” from dropdown menu and click on the “Copy Snapshot” button.Step

  13. Select the new created “Snapshot” and click on the “Actions” button at the top menu and click on the “Restore Snapshot” option.Step

  14. On “Restore snapshot” configuration page review all the configuration settings and provide a unique name to the “DB Instance Identifier” under “Settings”.Step

  15. Scroll down and click on the “Restore DB Instance” button. Step

  16. Update the “Database Endpoint” as soon as the new instance provisioning process is completed and the database instance is available. Step

  17. Remove the unencrypted database instance by selecting the database and clicking on the “Actions” button at the top menu and clicking on the “Delete” button under “Delete” panel. Step

  18. Repeat step 7 to 17 for all other RDS databases.

Enable encryption for RDS instances

1
2
3

resource "aws_db_instance" "good_example" {
  storage_encrypted = true
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use