Use Customer-Managed Keys instead of AWS-managed Keys
More Info:
Your RDS database instances should be using KMS CMK customer-managed keys rather than AWS managed-keys in order to have more granular control over your data-at-rest encryption/decryption process.Risk Level
MediumAddress
SecurityCompliance Standards
GDPR, NIST, AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSS, FedRAMPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of using AWS-managed keys instead of Customer-Managed Keys for AWS RDS using the AWS console, follow these steps:
-
Create a Customer-Managed Key (CMK):
- Go to the AWS Key Management Service (KMS) console.
- Click on “Create key” to create a new CMK.
- Choose the key creation method (Symmetric key or Asymmetric key) based on your requirements.
- Define key administrative permissions and key usage permissions.
- Click on “Finish” to create the CMK.
-
Update the RDS Instance to use the Customer-Managed Key:
- Go to the Amazon RDS console.
- Select the RDS instance for which you want to update the encryption key.
- Click on “Modify” to modify the instance settings.
- In the “Encryption” section, choose the option to encrypt using a Customer-Managed Key.
- Select the Customer-Managed Key (CMK) that you created in step 1.
- Click on “Continue” and review the changes.
- Click on “Modify DB Instance” to apply the changes.
-
Monitor the Encryption Key Update:
- Once you have modified the RDS instance to use the Customer-Managed Key, monitor the instance to ensure that the encryption key update is successful.
- Check the RDS instance status and logs for any errors related to the encryption key update.
- Verify that the RDS instance is using the Customer-Managed Key for encryption.
Using CLI
Using CLI
To remediate the misconfiguration of using AWS-managed keys for AWS RDS instances and switch to using Customer-Managed Keys, you can follow these steps using the AWS CLI:
-
Create a Customer Managed Key (CMK):
- Use the AWS Key Management Service (KMS) to create a new Customer Managed Key (CMK) if you don’t already have one.
- Run the following command to create a CMK:
- Note down the
KeyIdvalue from the output, as you will need it in the next steps.
-
Enable encryption with the Customer Managed Key for the RDS instance:
- Modify the RDS instance to use the newly created CMK for encryption.
- Run the following command to modify the RDS instance to use the Customer Managed Key:
- Replace
YOUR_DB_INSTANCE_IDENTIFIERwith the identifier of your RDS instance andYOUR_CMK_KEY_IDwith theKeyIdof the Customer Managed Key created in step 1.
-
Verify the encryption settings:
- Confirm that the RDS instance is now using the Customer Managed Key for encryption.
- Run the following command to describe the RDS instance and verify the encryption settings:
- Ensure that the
KmsKeyIdreturned in the output matches theKeyIdof the Customer Managed Key.
-
Monitor the RDS instance:
- Monitor the RDS instance to ensure that there are no issues after switching to Customer Managed Key encryption.
- Check the RDS instance logs and performance metrics to ensure everything is functioning as expected.
Using Python
Using Python
To remediate this misconfiguration for AWS RDS using Python, you can follow these steps:
-
Create a Customer-Managed Key (CMK) in AWS Key Management Service (KMS):
- Use the
boto3library in Python to create a new CMK in AWS KMS. Here is an example code snippet to create a CMK:
- Use the
-
Update the RDS instance to use the Customer-Managed Key:
- Use the
boto3library to modify the RDS instance to use the newly created CMK. Here is an example code snippet to update the RDS instance to use the CMK:
- Use the
-
Verify the changes:
- You can verify that the RDS instance is now using the Customer-Managed Key by describing the RDS instance and checking the
KmsKeyIdattribute. Here is an example code snippet to describe the RDS instance:
- You can verify that the RDS instance is now using the Customer-Managed Key by describing the RDS instance and checking the