[RDS.3]
RDS DB instances should have encryption at rest enabled
Description
All RDS DB instances must have storage encryption enabled. Encrypting RDS DB instances at rest provides an added layer of security. There is no noticeable impact on performance after encryption as Amazon RDS handles the authentication and decryption of data. This rule is COMPLIANT when an instance is encrypted at rest.
Details
| Property | Value |
|---|---|
| Category | Protect > Data protection > Encryption of data at rest |
| Compliance Control ID | RDS.3 |
| FortifyFox ID | FF100032 |
| Link | RDS.3 Compliance |
| Resource Type(s) | AWS::RDS::DBInstance |
| Severity | Medium |
Remediation
Use the following CloudFormation templates to deploy a RDS DB Instance compliant with RDS.3
YAML Template
Resources:
rdsDB:
Type: "AWS::RDS::DBInstance"
Properties:
StorageEncrypted: true
JSON Template
{
"Resources": {
"rdsDB": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"StorageEncrypted": true
}
}
}
}
📓 Notes
- For the template to work, the SnapshotIdentifier or SourceDBInstanceIdentifier properties must be omitted. Otherwise, the StorageEncrypted value is inherited from the snapshot or source DB instance.