AWS RDS Aurora cluster should be encrypted

• GG_ID: GG_IAC_0059
• Severity: HIGH
• Complexity: LOW
• Categories: DATA, PERMISSION
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: True

Description

Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. An RDS Aurora cluster is a group of DB instances.

The data should always be encrypted at rest to protect the data if accesses are compromised.

Impact

Not encrypting data could lead to data leak in case of an attack.

Remediation guidelines

Since it is not possible to encrypt an existing unencrypted cluster, the following manual steps must be performed if there is already an unencrypted cluster:

1. Create an unencrypted snapshot of the cluster.
2. Restore the unencrypted snapshot to a new encrypted Aurora DB cluster. For more information, see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html.

External documentation

• Creating a Multi-AZ DB cluster
• Encrypting Amazon Aurora resources