Ensure that encryption is enabled for AWS RDSDBCluster Storage

Enable encryption on your RDS DB Clusters, in order to protect your data and metadata from breaches or unauthorized access.

Risk Level: High
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.CRY.70
Covered by Spectral: No
Category: Database


RDSDBCluster should have storageEncrypted=true


Note: Since RDS DB Cluster storage encryption can not be changed, you can create new RDS DB Cluster with Storge encrypted.

From Portal

  1. Log in to the AWS Management Console and navigate to the Amazon RDS console.
  2. Click "Create database".
  3. Choose "Amazon Aurora" as the database engine.
  4. Select the edition and version that you want to use.
  5. In the "Settings" section, configure the DB cluster identifier, credentials, network settings, and other options as desired.
  6. In the "Additional configuration" section, select the VPC and subnets that you want to use.
  7. In the "Encryption" section, select "Enable encryption" and choose the KMS key that you want to use for encryption.
  8. Review the configuration and click "Create database" to create the encrypted RDS DB Cluster.

From TF

resource "aws_rds_cluster" "example" {
	engine             = "aurora-mysql"
	engine_version     = "<version>"
	db_cluster_identifier = "<identifier>"
	master_username    = "<username>"
	master_password    = "<password>"
	vpc_security_group_ids = ["<security-group-ids>"]
	db_subnet_group_name   = "<subnet-group>"
	storage_encrypted   = true
	kms_key_id          = "<kms-key-id>"

From Command Line

aws rds create-db-cluster --engine aurora --engine-version <version> --db-cluster-identifier <identifier> --master-username <username> --master-user-password <password> --vpc-security-group-ids <security-group-ids> --db-subnet-group-name <subnet-group> --storage-encrypted --kms-key-id <kms-key-id>


  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.StorageEncryption
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster
  3. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.StorageEncryption
  4. https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-cluster.html

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • CloudGuard AWS All Rules Ruleset