AWS RDS DB cluster encryption is disabled
ID |
rds_cluster_encryption_disabled |
Severity |
critical |
Vendor |
AWS |
Resource |
RDS |
Tags |
reachable |
Description
AWS RDS is a managed DB service enabling deployment and management of SQL databases like MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server DB engines. Native RDS encryption helps protect your cloud applications and fulfils compliance requirements for data-at-rest encryption.
Examples
CloudFormation
{
"Resources": {
"MyDB0": { (1)
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName": "mydb",
"DBInstanceClass": "db.t3.micro",
"Engine": "mysql",
"MasterUsername": "master",
"MasterUserPassword": "password"
}
}
}
}json
| 1 | Missing StorageEncrypted means not encrypted. |
Resources:
MyDB0: (1)
Type: 'AWS::RDS::DBInstance'
Properties:
DBName: 'mydb'
DBInstanceClass: 'db.t3.micro'
Engine: 'mysql'
MasterUsername: 'master'
MasterUserPassword: 'password'yaml
| 1 | Missing StorageEncrypted means not encrypted. |
Terraform
resource "aws_db_instance" "database" {
name = "database"
engine = "mysql"
instance_class = "db.t3.micro"
storage_encrypted = false (1)
}
// ... or ...
resource "aws_db_instance" "database" { (2)
name = "database"
engine = "mysql"
instance_class = "db.t3.micro"
}go
| 1 | Database encryption disabled. |
| 2 | No explicit storage_encrypted attribute, default to false. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"MyDB0": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName": "mydb",
"DBInstanceClass": "db.t3.micro",
"Engine": "mysql",
"MasterUsername": "master",
"MasterUserPassword": "password",
"StorageEncrypted": true (1)
}
}
}
}json
| 1 | StorageEncrypted set to true means encrypted. |
Resources:
MyDB0:
Type: 'AWS::RDS::DBInstance'
Properties:
DBName: 'mydb'
DBInstanceClass: 'db.t3.micro'
Engine: 'mysql'
MasterUsername: 'master'
MasterUserPassword: 'password'
StorageEncrypted: true (1)yaml
| 1 | StorageEncrypted set to true means encrypted. |