Skip to content

Ensure AWS RDS Database Using Encryption At Rest

Description

Checks whether not an AWS RDS instance is using encrypted storage at rest.

Rationale

Encrypting storage at rest is critical as it prevents an adversary that acquires physical access to the underlying data storage from accessing your data.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type db

Default Rule

const { isAwsRds } = aws
const { getServerSetting } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the rds encryption is enabled
 */
function validate(databaseSettings) {

    const isExpressEdition = settings => {
        const edition = getServerSetting(settings, "edition")
        return edition && edition.includes("Express Edition")
    }

    // check if the encryption is set to True and if there is a kmsKey
    const success =
        isAwsRds(databaseSettings) &&
        (databaseSettings.awsDatabaseInstance.rdsDatabaseInstance.storage &&
        databaseSettings.awsDatabaseInstance.rdsDatabaseInstance.storage.kmsKey &&
        databaseSettings.awsDatabaseInstance.rdsDatabaseInstance.storage.encrypted) ||
        isExpressEdition(databaseSettings) //express edition does not have encryption at rest

    return {
        success: !!success,
    }
}

// invoke
validate(databaseSettings);