Ensure that encryption-at-rest is enabled for RDS Instances

Encrypt Amazon RDS instances and snapshots at rest, by enabling the encryption option for your Amazon RDS DB instance. Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances.

Risk Level: High
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.CRY.05
Covered by Spectral: Yes
Category: Database


RDS should have isStorageEncrypted=true


From Portal
To create an encrypted RDS instance:

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.
  2. In the upper-right corner of the Amazon RDS console, choose the AWS Region in which you want to create the DB instance.
  3. In the navigation pane, choose Databases.
  4. Choose Create database.
  5. In Choose a database creation method, select Standard Create.
  6. Set the other options as per your requirement
  7. In Advanced Configuration section, make sure that Enable encryption option is selected
  8. Choose Create database

To encrypt existing unencrypted database, follow these steps:

  1. Encrypt an unencrypted snapshot that you take from an unencrypted read replica of the DB instance.
  2. Restore a new DB instance from the encrypted snapshot to deploy a new encrypted DB instance.

Note: Depending on the type of the database ou are using, you might want to consider using a replication service to replicate the data.

From TF
add storage_encrypted flag to terraform file to create encrypted database instance:

resource "aws_db_instance" "db_instance_example" {
	storage_encrypted = true

From Command Line
To create an encrypted database, run:

aws rds create-db-instance --engine ENGINE  --db-instance-identifier DB_IDENTIFIER --allocated-storage SIZE  --db-instance-class DB_INSTANCE_CLASS --vpc-security-group-ids SECURITY_GROUP_ID --db-subnet-group SUBNET_GROUP --master-username USER --master-user-password PWD -backup-retention-period DAYS --storage-encrypted


  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
  2. https://aws.amazon.com/premiumsupport/knowledge-center/rds-encrypt-instance-mysql-mariadb/
  3. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#storage_encrypted

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS Dashboard System Ruleset
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset