Back to All Checks
Medium RDS Regional

RDS DB clusters should be encrypted at rest

NIST 800-53ISO 27001HIPAA

Description

Checks if an RDS DB cluster is encrypted at rest. Data at rest refers to any data that's stored in persistent, non-volatile storage for any duration. Encryption helps you protect the confidentiality of such data, reducing the risk that an unauthorized user can access it. Encrypting your RDS DB clusters protects your data and metadata against unauthorized access.

Remediation

To remediate this issue, you can take a snapshot of the unencrypted cluster and restore it as a new encrypted cluster, or create a new cluster with encryption enabled.

Steps

  1. Take a snapshot of the existing unencrypted RDS DB cluster
  2. Restore the snapshot as a new DB cluster with 'Storage encryption' enabled
  3. Choose a KMS key for encryption during the restore process
  4. Update your applications to point to the new encrypted cluster
  5. Delete the old unencrypted cluster once the new cluster is verified and working

Compliance

NIST 800-53ISO 27001HIPAA
Start Your Free Security Check