> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Use Customer-Managed Keys instead of AWS-managed Keys

### More Info:

Your RDS database instances should be using KMS CMK customer-managed keys rather than AWS managed-keys in order to have more granular control over your data-at-rest encryption/decryption process.

### Risk Level

Medium

### Address

Security

### Compliance Standards

GDPR, NIST, AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSS, FedRAMP

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration of using AWS-managed keys instead of Customer-Managed Keys for AWS RDS using the AWS console, follow these steps:

        1. **Create a Customer-Managed Key (CMK)**:
           * Go to the AWS Key Management Service (KMS) console.
           * Click on "Create key" to create a new CMK.
           * Choose the key creation method (Symmetric key or Asymmetric key) based on your requirements.
           * Define key administrative permissions and key usage permissions.
           * Click on "Finish" to create the CMK.

        2. **Update the RDS Instance to use the Customer-Managed Key**:
           * Go to the Amazon RDS console.
           * Select the RDS instance for which you want to update the encryption key.
           * Click on "Modify" to modify the instance settings.
           * In the "Encryption" section, choose the option to encrypt using a Customer-Managed Key.
           * Select the Customer-Managed Key (CMK) that you created in step 1.
           * Click on "Continue" and review the changes.
           * Click on "Modify DB Instance" to apply the changes.

        3. **Monitor the Encryption Key Update**:
           * Once you have modified the RDS instance to use the Customer-Managed Key, monitor the instance to ensure that the encryption key update is successful.
           * Check the RDS instance status and logs for any errors related to the encryption key update.
           * Verify that the RDS instance is using the Customer-Managed Key for encryption.

        By following these steps, you can remediate the misconfiguration of using AWS-managed keys instead of Customer-Managed Keys for AWS RDS using the AWS console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration of using AWS-managed keys for AWS RDS instances and switch to using Customer-Managed Keys, you can follow these steps using the AWS CLI:

        1. **Create a Customer Managed Key (CMK)**:
           * Use the AWS Key Management Service (KMS) to create a new Customer Managed Key (CMK) if you don't already have one.
           * Run the following command to create a CMK:
             ```
             aws kms create-key --description "Customer Managed Key for RDS Encryption"
             ```
           * Note down the `KeyId` value from the output, as you will need it in the next steps.

        2. **Enable encryption with the Customer Managed Key for the RDS instance**:
           * Modify the RDS instance to use the newly created CMK for encryption.
           * Run the following command to modify the RDS instance to use the Customer Managed Key:
             ```
             aws rds modify-db-instance --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --kms-key-id YOUR_CMK_KEY_ID
             ```
           * Replace `YOUR_DB_INSTANCE_IDENTIFIER` with the identifier of your RDS instance and `YOUR_CMK_KEY_ID` with the `KeyId` of the Customer Managed Key created in step 1.

        3. **Verify the encryption settings**:
           * Confirm that the RDS instance is now using the Customer Managed Key for encryption.
           * Run the following command to describe the RDS instance and verify the encryption settings:
             ```
             aws rds describe-db-instances --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --query "DBInstances[*].KmsKeyId"
             ```
           * Ensure that the `KmsKeyId` returned in the output matches the `KeyId` of the Customer Managed Key.

        4. **Monitor the RDS instance**:
           * Monitor the RDS instance to ensure that there are no issues after switching to Customer Managed Key encryption.
           * Check the RDS instance logs and performance metrics to ensure everything is functioning as expected.

        By following these steps, you can remediate the misconfiguration of using AWS-managed keys for AWS RDS instances and switch to using Customer-Managed Keys successfully using the AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate this misconfiguration for AWS RDS using Python, you can follow these steps:

        1. **Create a Customer-Managed Key (CMK) in AWS Key Management Service (KMS)**:

           * Use the `boto3` library in Python to create a new CMK in AWS KMS. Here is an example code snippet to create a CMK:

           ```python theme={null}
           import boto3

           kms_client = boto3.client('kms')

           response = kms_client.create_key(
               Description='My Customer-Managed Key',
               KeyUsage='ENCRYPT_DECRYPT',
               Origin='AWS_KMS',
           )

           cmk_id = response['KeyMetadata']['KeyId']
           ```

        2. **Update the RDS instance to use the Customer-Managed Key**:

           * Use the `boto3` library to modify the RDS instance to use the newly created CMK. Here is an example code snippet to update the RDS instance to use the CMK:

           ```python theme={null}
           rds_client = boto3.client('rds')

           response = rds_client.modify_db_instance(
               DBInstanceIdentifier='your-rds-instance-id',
               KmsKeyId=cmk_id,
           )
           ```

        3. **Verify the changes**:

           * You can verify that the RDS instance is now using the Customer-Managed Key by describing the RDS instance and checking the `KmsKeyId` attribute. Here is an example code snippet to describe the RDS instance:

           ```python theme={null}
           response = rds_client.describe_db_instances(
               DBInstanceIdentifier='your-rds-instance-id',
           )

           kms_key_id = response['DBInstances'][0]['KmsKeyId']
           print(f"KMS Key ID used by RDS instance: {kms_key_id}")
           ```

        By following these steps and running the Python code, you can remediate the misconfiguration by using a Customer-Managed Key instead of AWS-managed Keys for your AWS RDS instance.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://aws.amazon.com/blogs/database/securing-data-in-amazon-rds-using-aws-kms-encryption/](https://aws.amazon.com/blogs/database/securing-data-in-amazon-rds-using-aws-kms-encryption/)
