Ensures that AWS RDS databases are encrypted using Customer Managed Keys

Validate that RDS databases are encrypted with customer managed keys and not default KMS keys. It is recommended to use customer managed keys to encrypt the data on your RDS databases and control the keys for sensitive data.

Risk Level: Low
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.CRY.33
Covered by Spectral: Yes
Category: Database


RDS where isStorageEncrypted=true should have encryptionKey.isCustomerManaged=true


From Portal
RDS encryption is configured during database creation, so you need to create a new database and migrate your existing data to your new RDS instance with encrypted Customer Managed keys.

To create a new RDS database with encryption using a customer managed key:

  1. Log in to the AWS console.
  2. Select the region for which the issue was generated.
  3. Navigate to the Amazon RDS Dashboard.
  4. Select 'Create database'.
  5. On the 'Select engine' page, select 'Engine options' and 'Next'.
  6. On the 'Select use case' page, select 'Use case' of database and 'Next'.
  7. On the 'Specify DB details' page, specify the database details you need and click 'Next'.
    Note: Amazon RDS encryption has some limitation on region and type instances. For Availability of Amazon RDS Encryption refer to: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Availability
  8. On the 'Configure advanced settings' page, Under 'Encryption', select 'Enable encryption' and select the customer managed key [i.e. Other than (default)aws/rds] from 'Master key' dropdown list].
  9. Select 'Create database'.

To delete the RDS database that uses the default KMS keys, which triggered the issue:

  1. Log in to the AWS console
  2. Select the region for which the issue was generated.
  3. Navigate to the Amazon RDS Dashboard.
  4. Click Instances, and select the reported RDS database.
  5. Select the 'Instance actions' drop-down and click 'Delete'.
  6. In the 'Delete' dialog, select the 'Create final snapshot?' checkbox, if you want a backup. Provide a name for the final snapshot, confirm deletion and select 'Delete'.

From TF

resource "aws_db_instance" "example" {
	name                 = "example"
	+ storage_encrypted    = true
	kms-key-id         = "CustomerManagedKeyARN"

From Command Line
Use following command to create a new RDS database with encryption using a customer managed key:

aws rds create-db-instance --db-instance-identifier INSTANCE_NAME --db-instance-class INSTANCE_CLASS --engine ENGINE_TYPE --master-username USERNAME --master-user-password PASSWORD --storage-encrypted --kms-key-id CUSTOMER_MANAGED_KEY_ID --allocated-storage VALUE


  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
  2. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-instance.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset