Ensure that RDS global cluster has encryption enabled

If RDS cluster does not have encryption at rest enabled, it means data is stored on cluster in plaintext. In such cases, if a data breach happens, sensitive data stored on the RDS cluster will be accessible.

Risk Level: High
Cloud Entity: Amazon RDS GlobalCluster
CloudGuard Rule ID: D9.CFT.CRY.14
Covered by Spectral: Yes
Category: Database


AWS_RDS_GlobalCluster should have StorageEncrypted=true


From CFT
Set AWS::RDS::GlobalCluster StorageEncrypted property to true.


  1. https://docs.aws.amazon.com/cli/latest/reference/rds/create-global-cluster.html
  2. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database-getting-started.html
  3. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Overview

Amazon RDS GlobalCluster

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CloudFormation ruleset