Skip to content

Aurora Data Encrypted At Rest

Description

Checks whether not an AWS RDS Aurora instance is using encrypted storage at rest. You can use Amazon Aurora encryption to increase data protection of your applications deployed in the cloud, and to fulfill compliance requirements for data-at-rest encryption.

Using AWS Key Management Service allows you to create encryption keys and define the policies that control how these keys can be used. For an Amazon Aurora encrypted DB cluster, all logs, backups, and snapshots are encrypted. You can also encrypt a read replica of an Amazon Aurora encrypted cluster.

Rationale

Encrypting storage at rest is important as it prevents an adversary that acquires physical access to the underlying data storage from accessing your data.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type cluster

Default Rule

const { isAwsRdsCluster } = aws
/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if a encryption at rest is enable
 */
function validate(databaseSettings) {
    const success = isAwsRdsCluster(databaseSettings) &&
                    databaseSettings.awsDatabaseInstance.rdsCluster.storageEncrypted

    return {
        success,
    }
}

// invoke
validate(databaseSettings);