Profile Applicability:
Level 1
Description:
This control ensures that Amazon Relational Database Service (RDS) instances have storage encryption enabled using AWS Key Management Service (KMS). Encrypting RDS storage protects data at rest, including underlying storage, automated backups, read replicas, snapshots, and transaction logs. This ensures that sensitive data stored in the database cannot be accessed by unauthorized users or compromised if a breach occurs.
Rationale:
RDS storage encryption is a critical security control that protects sensitive and regulated data by using strong encryption algorithms (AES-256). It ensures that data remains secure throughout its lifecycle — from storage to backups and replicas. Enabling encryption also helps organizations comply with data protection standards such as SOC 2, ISO 27001, HIPAA, GDPR, and CIS AWS Foundations Benchmark. Without encryption, attackers with physical access or compromised credentials could potentially read unencrypted data.
Impact:
Positive Impact:
Protects database data, backups, and snapshots from unauthorized access.
Meets regulatory and compliance requirements for data-at-rest encryption.
Automatically encrypts all associated backups and read replicas.
Negative Impact:Encryption cannot be enabled on an existing unencrypted instance directly; migration is required.
Slight performance overhead due to encryption and decryption operations.
Default Value:
By default, encryption is disabled for RDS instances unless it is explicitly enabled during instance creation.
Pre-Requisite:
IAM permissions required:
rds:DescribeDBInstances,rds:CreateDBInstance,rds:CopyDBSnapshot, andkms:ListKeys.A valid KMS key (either AWS-managed or customer-managed).
Test Plan
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon RDS → Databases.
Select a database instance and open the Configuration tab.
Under Storage, verify that Storage encryption is listed as Enabled.
Check the KMS key value — it should be an ARN such as:
arn:aws:kms:us-east-1:123456789012:key/abcd1234-xxxx-xxxx-xxxx-yyyyyyyyyyyy.If storage encryption is Disabled, this control is non-compliant.
Implementation Plan
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon RDS → Databases.
Select the unencrypted database instance.
Choose Actions → Take snapshot to create a snapshot of the database.
After the snapshot is created, go to Snapshots in the RDS console.
Select the snapshot and choose Actions → Copy snapshot.
In the Copy snapshot dialog box:
Under Encryption, select Enable encryption.
Choose a KMS key (either AWS-managed or customer-managed).
Provide a name for the new snapshot and click Copy snapshot.
Once the encrypted snapshot is available, restore it as a new database instance:
Go to the Snapshots page.
Select the encrypted snapshot and click Restore snapshot.
Configure instance settings and launch the encrypted instance.
Update applications and services to connect to the new encrypted RDS instance.
Delete the old unencrypted instance after successful migration and verification.
Backout Plan:
If the application fails to connect or experiences issues after migration:
Revert the connection to the old (unencrypted) RDS instance.
Review connectivity and IAM role permissions for KMS decryption access.
After verification, retry the migration with corrected configurations.
References: