AWS RDS DB instance should be encrypted
- GG_ID: GG_IAC_0060
- Severity: HIGH
- Complexity: LOW
- Categories: DATA, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. DB instances are the basic building block of Amazon RDS.
The data should always be encrypted at rest to protect the data if accesses are compromised.
Not encrypting data could lead to data leak in case of an attack.
Since it is not possible to encrypt an existing unencrypted DB instance, the following manual steps must be performed if there is already an unencrypted DB instance:
- Create a snapshot of the DB instance.
- Create an encrypted copy of this snapshot.
- Restore a DB instance from the encrypted snapshot. For more information, see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CopySnapshot.html.