HIGH RDS

RDS encryption at rest

Check ID: aws-rds-002

AWS-RDS-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for RDS instances without storage encryption enabled.

Why it matters

Unencrypted RDS instances store all data, automated backups, and snapshots in plaintext. If a snapshot is accidentally shared publicly (a surprisingly common misconfiguration), all database contents are immediately readable. In 2020, researchers found over 2,000 publicly shared RDS snapshots containing sensitive data including PII, financial records, and credentials. RDS encryption uses AES-256 with KMS keys and encrypts the underlying storage, automated backups, read replicas, and snapshots. Encryption must be enabled at instance creation - existing unencrypted instances require a migrate-via-snapshot process. Every major compliance framework (HIPAA, PCI-DSS, SOC 2, GDPR) requires encryption at rest for databases.

Common causes

Unencrypted RDS instances exist because encryption must be enabled at creation time and cannot be added later without a snapshot-restore migration. Teams that created databases before establishing encryption standards now face a migration effort that requires downtime and DNS changes. Development databases are often created without encryption to save time, but some of them eventually handle production data without being re-created.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# RDS encryption cannot be enabled on existing instances. Migrate via snapshot:
aws rds create-db-snapshot --db-instance-identifier DB_ID --db-snapshot-identifier DB_ID-pre-encrypt --region REGION
aws rds copy-db-snapshot --source-db-snapshot-identifier DB_ID-pre-encrypt --target-db-snapshot-identifier DB_ID-encrypted --kms-key-id alias/aws/rds --region REGION
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier DB_ID-new --db-snapshot-identifier DB_ID-encrypted --region REGION

Remediation: Terraform

resource "aws_db_instance" "db" {
  storage_encrypted = true
  kms_key_id        = aws_kms_key.rds.arn
}

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related RDS checks

CRITICAL aws-rds-001

Public RDS instances

MEDIUM aws-rds-003

RDS Multi-AZ

LOW aws-rds-004

RDS auto minor upgrade

← All checks