Risk Level: High
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.CRY.05
Covered by Spectral: Yes
Category: Database

GSL LOGIC

RDS should have isStorageEncrypted=true

REMEDIATION

From Portal
To create an encrypted RDS instance:

Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.
In the upper-right corner of the Amazon RDS console, choose the AWS Region in which you want to create the DB instance.
In the navigation pane, choose Databases.
Choose Create database.
In Choose a database creation method, select Standard Create.
Set the other options as per your requirement
In Advanced Configuration section, make sure that Enable encryption option is selected
Choose Create database

To encrypt existing unencrypted database, follow these steps:

Encrypt an unencrypted snapshot that you take from an unencrypted read replica of the DB instance.
Restore a new DB instance from the encrypted snapshot to deploy a new encrypted DB instance.

Note: Depending on the type of the database ou are using, you might want to consider using a replication service to replicate the data.

From TF
add storage_encrypted flag to terraform file to create encrypted database instance:

resource "aws_db_instance" "db_instance_example" {
	...
	storage_encrypted = true
	...
}

From Command Line
To create an encrypted database, run:

aws rds create-db-instance --engine ENGINE  --db-instance-identifier DB_IDENTIFIER --allocated-storage SIZE  --db-instance-class DB_INSTANCE_CLASS --vpc-security-group-ids SECURITY_GROUP_ID --db-subnet-group SUBNET_GROUP --master-username USER --master-user-password PWD -backup-retention-period DAYS --storage-encrypted

References

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
https://aws.amazon.com/premiumsupport/knowledge-center/rds-encrypt-instance-mysql-mariadb/
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#storage_encrypted

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

AWS CIS Foundations v. 1.4.0
AWS CIS Foundations v. 1.5.0
AWS CIS Foundations v. 2.0.0
AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard CheckUp
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS Dashboard System Ruleset
AWS GDPR Readiness
AWS HIPAA
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS ITSG-33
AWS LGPD regulation
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset