RDS Instances Should Have Encryption Enabled

Using Console

Using CLI

Amazon RDS does not support enabling encryption on an existing unencrypted DB instance. However, you can achieve encryption by creating a new encrypted instance and migrating the data. Here are the steps for AWS CLI:

Identify the RDS Instances without Encryption Enabled: Run the following AWS CLI command to list all RDS instances without encryption enabled:
```
aws rds describe-db-instances --query "DBInstances[?StorageEncrypted==\`false\`].DBInstanceIdentifier"
```
Create a Snapshot: For each RDS instance identified in the previous step, create a db snapshot using the following command:
```
aws rds create-db-snapshot \
  --db-instance-identifier <db-instance-id> \
  --db-snapshot-identifier <snapshot-id>
```
Replace <instance-identifier> with the identifier of the RDS instance that needs encryption enabled.
Iterate through all the instances and perform below steps:

Copy the Snapshot with Encryption Enabled:

aws rds copy-db-snapshot \
  --source-db-snapshot-identifier <snapshot-id> \
  --target-db-snapshot-identifier <encrypted-snapshot-id> \
  --kms-key-id <kms-key-id>

Replace <snapshot-id> with the RDS instance snapshot identifier created in the above step.

Restore a New Encrypted DB Instance from the Encrypted Snapshot: Once the encryption modification is complete, verify that encryption is enabled for the RDS instance by running:
```
aws rds restore-db-instance-from-db-snapshot \
  --db-instance-identifier <new-db-instance-id> \
  --db-snapshot-identifier <encrypted-snapshot-id>
```
Replace <encrypted-snapshot-id> with the Encrypted snapshot identifier created in the above step.

(Optional) Delete Old Unencrypted Instances:

for db in $(aws rds describe-db-instances --query "DBInstances[?StorageEncrypted==\`false\`].DBInstanceIdentifier" --output text); do
  aws rds delete-db-instance --db-instance-identifier $db --skip-final-snapshot
  echo "Deleted old unencrypted instance: $db"
done

By following these steps, you can remediate the misconfiguration of RDS instances not having encryption enabled in AWS using AWS CLI.

Using Python

Amazon RDS does not support enabling encryption on an existing unencrypted DB instance. However, you can achieve encryption by creating a new encrypted instance and migrating the data. Here are the steps using Python:

Import the necessary Python libraries:
```
import boto3
```
Initialize the AWS RDS client:
```
client = boto3.client('rds')
```

Get a list of all RDS instances:

response = client.describe_db_instances()

Create a snapshot of the current unencrypted DB instance:

 # Step 1: Create a snapshot
 snapshot_id = f"{db_instance}-unencrypted-snapshot"
 print(f"Creating snapshot: {snapshot_id}")
 rds_client.create_db_snapshot(DBInstanceIdentifier=db_instance, DBSnapshotIdentifier=snapshot_id)

 # Wait until snapshot is available
 waiter = rds_client.get_waiter('db_snapshot_available')
 waiter.wait(DBSnapshotIdentifier=snapshot_id)
 print(f"Snapshot {snapshot_id} is now available.")

Create new snapshot with Encryption:

 # Step 2: Copy the snapshot with encryption
 encrypted_snapshot_id = f"{db_instance}-encrypted-snapshot"
 print(f"Copying snapshot with encryption: {encrypted_snapshot_id}")
 rds_client.copy_db_snapshot(
     SourceDBSnapshotIdentifier=snapshot_id,
     TargetDBSnapshotIdentifier=encrypted_snapshot_id,
     KmsKeyId=kms_key_id
 )

 # Wait until encrypted snapshot is available
 waiter.wait(DBSnapshotIdentifier=encrypted_snapshot_id)
 print(f"Encrypted snapshot {encrypted_snapshot_id} is now available.")

Restore to create a new Encrypted database:

 # Step 3: Restore a new encrypted DB instance
 new_db_instance = f"{db_instance}-encrypted"
 print(f"Restoring new encrypted DB instance: {new_db_instance}")
 rds_client.restore_db_instance_from_db_snapshot(
     DBInstanceIdentifier=new_db_instance,
     DBSnapshotIdentifier=encrypted_snapshot_id
 )

 # Step 4: Wait for the new DB instance to be available
 db_waiter = rds_client.get_waiter('db_instance_available')
 db_waiter.wait(DBInstanceIdentifier=new_db_instance)
 print(f"New encrypted DB instance {new_db_instance} is now available.")

Make sure you have the necessary IAM permissions to describe and modify RDS instances. Also, ensure that you have the AWS SDK for Python (Boto3) installed.This script will iterate through all RDS instances in your AWS account, check if encryption is enabled, take a snapshot, create a new encrypted snapshot, and create new database using encrypted snapshot.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

RDS Instances Should Have Encryption Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading: