Skip to content

Encrypt AWS RDS Snapshot

Description

On a database instance running with Amazon RDS encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots.

If an Amazon RDS database isn't encrypted, its automatic snapshots will not be encrypted and must be encrypted manually.

For more information, please refer to the AWS RDS documentation

Rationale

Make sure your Amazon RDS snapshots are encrypted to prevent unauthorized access from third parties.

Applies To

  • Latest Blob Instances

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type db

Default Rule

const { isEmptyArray } = module

/**
 * @param {Object} blobInstances - database snapshots
 * @returns {boolean} true if database snapshots are encrypted
 */
function validate(blobInstances) {
    const success = isEmptyArray(blobInstances.values) || 
                    blobInstances.values.every(snap => 
                        snap.configuration &&
                        snap.configuration.aws &&
                        snap.configuration.aws.rds && 
                        !!snap.configuration.aws.rds.encrypted
                    )

    return {
        success,
    }
}

// invoke
validate(blobInstances);