Amazon_RDS_19

Ensures that AWS RDS databases are encrypted using Customer Managed Keys

Description

Ensure that your RDS database instances are using KMS CMK customer-managed keys rather than AWS managed-keys (default keys used by RDS when there are no customer keys available), in order to have more granular control over your data-at-rest encryption/decryption process.

Remediation

RDS encryption is set at database creation, so to remedy this problem, a new database is created, the data from the old database migrated to it, and the old database deleted.:
1. Login to the AWS Management Console and navigate to https://console.aws.amazon.com/rds/.

2. Select ‘Create database’.

3. On the ‘Select engine’ page, select ‘Engine options’ and ‘Next’.

4. On the ‘Select use case’ page, select ‘Use case’ of database and ‘Next’.

5. On the ‘Specify DB details’ page, specify the database details you need and click ‘Next’.

6. On the ‘Configure advanced settings’ page, Under ‘Encryption’, select ‘Enable encryption’ and select the customer managed key [i.e. Other than (default)aws/rds] from ‘Master key’ dropdown list]..

7. Select ‘Create database’.

Service

RDS

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!