Amazon RDS
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. Amazon RDS

      RDS Snapshot Encryption Disabled

      Risk Level: MEDIUM

      Description:

      .This plugin ensures that RDS snapshots are encrypted at rest by enabling encryption. RDS snapshots on AWS come with encryption, which should be enabled to ensure that all data at rest is secure.


      Recommended Action: Copy the snapshot to a new snapshot that is encrypted and delete the old snapshot.

      About the Service :

      Amazon RDS (Amazon Relational Database Service) makes it simple to set up, run, and scale a relational database in the cloud. It offers scalable capacity at a low cost while automating time-consuming administrative activities including hardware provisioning, database setup, patching, and backups. 


      Impact: 

      Not having snapshot encryption enabled for data at rest can lead to breaches from attackers or unauthorized personnel.

      Steps to reproduce :

      1. Sign in to your AWS management console.
      2. Navigate to the RDS dashboard at: https://console.aws.amazon.com/rds/
      3. On the left navigation panel, under RDS Dashboard, select Snapshots.
      4. Select the snapshot you want to examine.
      5. On the column of the snapshot name, check the value of the Encrypted attribute.
      6. If the Encrypted configuration value is set to No, the selected Amazon RDS database snapshot is not encrypted at rest.
      Repeat steps no. 3 – 6 for each RDS instance provisioned in the current region as well as in other AWS regions.


      Steps for remediation :

      1. Sign in to your AWS management console.
      2. Navigate to the RDS dashboard at: https://console.aws.amazon.com/rds/
      3. On the left navigation panel, under RDS Dashboard, select Snapshots.
      4. Select the unencrypted snapshot that you want to examine.
      5. Click the Actions button from the dashboard top menu and select Copy Snapshot.
      6. On the Copy Snapshot page that appears, perform the following actions: 
        1. From the Destination Region dropdown list, select the region where you want to write the copy of the selected snapshot.
        2. In the New DB Snapshot Identifier field, enter a name for the new snapshot (copy).
        3. From the Target Option Group dropdown list, select an option group to associate with your target database snapshot.
        4. Select the Copy Tags so the new snapshot can have the same tags as the source snapshot.
        5. Select the Enable Encryption option and select an encryption key for it from the Master Key dropdown list.
        6. Click on Copy Snapshot.
      7. Once the selected snapshot is encrypted, we can safely delete the source snapshot.
      8. Perform the following functions:
        1. Select the source AWS RDS snapshot.
        2. Click on the Actions button in the top-right corner and click on Delete Snapshot.
        3. Click on Delete.
      9. Repeat steps no. 4 – 9 for each unencrypted RDS instance provisioned in the current region as well as in other AWS regions.



      References: