Skip to main content

AWS RDS DB instance should be encrypted



Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. DB instances are the basic building block of Amazon RDS.

The data should always be encrypted at rest to protect the data if accesses are compromised.


Potential data exposureVisible in logsUser interaction requiredPrivileges required

Not encrypting data could lead to data leak in case of an attack.

Remediation guidelines#

Since it is not possible to encrypt an existing unencrypted DB instance, the following manual steps must be performed if there is already an unencrypted DB instance:

  1. Create a snapshot of the DB instance.
  2. Create an encrypted copy of this snapshot.
  3. Restore a DB instance from the encrypted snapshot. For more information, see