Using unencrypted RDS DB resources exposes data to unauthorized access.
This includes database data, logs, automatic backups, read replicas,
snapshots, and cluster metadata.
This situation can occur in a variety of scenarios, such as:
- A malicious insider working at the cloud provider gains physical access to the storage device.
- Unknown attackers penetrate the cloud provider’s logical infrastructure and systems.
After a successful intrusion, the underlying applications are exposed to:
- theft of intellectual property and/or personal data
- extortion
- denial of services and security bypasses via data corruption or deletion
AWS-managed encryption at rest reduces this risk with a simple switch.
Ask Yourself Whether
- The database contains sensitive data that could cause harm when leaked.
- There are compliance requirements for the service to store data encrypted.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It is recommended to enable encryption at rest on any RDS DB resource, regardless of the engine.
In any case, no further maintenance is
required as encryption at rest is fully managed by AWS.
Sensitive Code Example
For AWS::RDS::DBInstance and
AWS::RDS::DBCluster:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
DatabaseInstance:
Type: AWS::RDS::DBInstance
Properties:
StorageEncrypted: false # Sensitive, disabled by default
DatabaseCluster:
Type: AWS::RDS:DBCluster
Properties:
StorageEncrypted: false # Sensitive, disabled by default
Compliant Solution
For AWS::RDS::DBInstance and
AWS::RDS::DBCluster:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
DatabaseInstance:
Type: AWS::RDS::DBInstance
Properties:
StorageEncrypted: true
DatabaseCluster:
Type: AWS::RDS:DBCluster
Properties:
StorageEncrypted: false # Sensitive, disabled by default
See