Database-tier KMS Key Should Be In Use

More Info:

There should be one Amazon KMS Customer Master Key (CMK) created in your AWS account for the database tier in order to protect data-at-rest available within your AWS web stack, have full control over encryption/decryption process, and meet security and compliance requirements.

Risk Level

Low

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “Database-tier KMS Key Should Be In Use” misconfiguration in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine.
Run the following command to list all the RDS instances in your AWS account:

aws rds describe-db-instances

Identify the RDS instance that has the misconfiguration.
Run the following command to modify the RDS instance to use a KMS key:

aws rds modify-db-instance --db-instance-identifier <your-db-instance-identifier> --kms-key-id <your-kms-key-id>

Replace <your-db-instance-identifier> with the name of your RDS instance and <your-kms-key-id> with the ID of the KMS key that you want to use.

Verify that the RDS instance is now using the KMS key by running the following command:

aws rds describe-db-instances --db-instance-identifier <your-db-instance-identifier> | grep KmsKeyId

This command should return the ID of the KMS key that you specified in step 4.

Repeat steps 4 and 5 for all the RDS instances that have the misconfiguration.

Using Python

To remediate the “Database-tier KMS Key Should Be In Use” misconfiguration in AWS using Python, you can follow these steps:

Identify the RDS instances that are not using a KMS key for encryption.
Use the AWS SDK for Python (Boto3) to modify the RDS instances to use a KMS key for encryption.

Here is the Python code to accomplish this:

import boto3

# Create an RDS client
rds = boto3.client('rds')

# Get a list of all RDS instances
instances = rds.describe_db_instances()

# Loop through each instance and check if it is using a KMS key for encryption
for instance in instances['DBInstances']:
    if 'KmsKeyId' not in instance:
        # If the instance is not using a KMS key, modify it to use one
        rds.modify_db_instance(
            DBInstanceIdentifier=instance['DBInstanceIdentifier'],
            KmsKeyId='your_kms_key_id_here'
        )

Replace “your_kms_key_id_here” with the ID of the KMS key that you want to use for encryption.This code will loop through all RDS instances and modify any instances that are not using a KMS key for encryption to use the specified KMS key.

Additional Reading:

https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Database-tier KMS Key Should Be In Use

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: