> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Database-tier KMS Key Should Be In Use

### More Info:

There should be one Amazon KMS Customer Master Key (CMK) created in your AWS account for the database tier in order to protect data-at-rest available within your AWS web stack, have full control over encryption/decryption process, and meet security and compliance requirements.

### Risk Level

Low

### Address

Security

### Compliance Standards

CBP

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        The remediation steps for "Database-tier KMS Key Should Be In Use" in AWS using the AWS console are as follows:

        1. Open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
        2. In the navigation pane, choose "Encryption".
        3. Select the DB instance that you want to encrypt.
        4. Click on the "Modify" button.
        5. In the "Encryption" section, choose "Yes" for the "Encrypt this DB instance" option.
        6. Select the KMS key that you want to use for encryption in the "KMS key ID" drop-down list.
        7. Click on the "Continue" button.
        8. Review the changes and click on the "Modify DB instance" button to apply the changes.

        After completing these steps, the database-tier KMS key will be in use, and the misconfiguration will be remediated.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the "Database-tier KMS Key Should Be In Use" misconfiguration in AWS using AWS CLI, follow these steps:

        1. Open the AWS CLI on your local machine.

        2. Run the following command to list all the RDS instances in your AWS account:

        ```
        aws rds describe-db-instances
        ```

        3. Identify the RDS instance that has the misconfiguration.

        4. Run the following command to modify the RDS instance to use a KMS key:

        ```
        aws rds modify-db-instance --db-instance-identifier <your-db-instance-identifier> --kms-key-id <your-kms-key-id>
        ```

        Replace `<your-db-instance-identifier>` with the name of your RDS instance and `<your-kms-key-id>` with the ID of the KMS key that you want to use.

        5. Verify that the RDS instance is now using the KMS key by running the following command:

        ```
        aws rds describe-db-instances --db-instance-identifier <your-db-instance-identifier> | grep KmsKeyId
        ```

        This command should return the ID of the KMS key that you specified in step 4.

        6. Repeat steps 4 and 5 for all the RDS instances that have the misconfiguration.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the "Database-tier KMS Key Should Be In Use" misconfiguration in AWS using Python, you can follow these steps:

        1. Identify the RDS instances that are not using a KMS key for encryption.

        2. Use the AWS SDK for Python (Boto3) to modify the RDS instances to use a KMS key for encryption.

        Here is the Python code to accomplish this:

        ```python theme={null}
        import boto3

        # Create an RDS client
        rds = boto3.client('rds')

        # Get a list of all RDS instances
        instances = rds.describe_db_instances()

        # Loop through each instance and check if it is using a KMS key for encryption
        for instance in instances['DBInstances']:
            if 'KmsKeyId' not in instance:
                # If the instance is not using a KMS key, modify it to use one
                rds.modify_db_instance(
                    DBInstanceIdentifier=instance['DBInstanceIdentifier'],
                    KmsKeyId='your_kms_key_id_here'
                )
        ```

        Replace "your\_kms\_key\_id\_here" with the ID of the KMS key that you want to use for encryption.

        This code will loop through all RDS instances and modify any instances that are not using a KMS key for encryption to use the specified KMS key.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html](https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html)
