Amazon RDS

RDS low encryption

Risk Level: LOW

Description:

This plugin ensures that RDS instances have at-rest encryption enabled. For RDS instances, AWS supports at-read encryption, which should be enabled to ensure the integrity of data stored in the databases. To have complete control over data encryption and decryption, RDS instances should be encrypted with Customer Master Keys at the very least.


Recommended Action: RDS does not currently allow modifications to encryption after the instance has been launched, so a new instance will need to be created with encryption enabled.

Configuration Parameters

RDS Minimum Encryption Level: This parameter specifies the minimum required encryption type for RDS. An issue is created when the encryption setting does not match the desired encryption level.

The order of encryption from lowest to highest is as follows: 

  1. awskms=AWS-managed KMS
  2. awscmk=Customer managed KMS
  3. externalcmk=Customer managed externally sourced KMS
  4. cloudhsm=Customer managed CloudHSM sourced KMS

The default encryption is ‘awscmk’, therefore it will return a vulnerability alert if the RDS encryption is lower than awscmk.

About the Service :

Amazon RDS (Amazon Relational Database Service) makes it simple to set up, run, and scale a relational database in the cloud. It offers scalable capacity at a low cost while automating time-consuming administrative activities including hardware provisioning, database setup, patching, and backups. 

Impact: 

To have more granular control over your data-at-rest encryption/decryption process, make sure your RDS database instances are utilising KMS CMK customer-managed keys rather than AWS managed keys (default keys used by RDS when no customer keys are available).


Steps to reproduce :

  1. Sign in to your AWS management console.
  2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/rds/
  3. On the left navigation panel, under RDS Dashboard, select Databases.
  4. Select the RDS instance that you want to examine.
  5. Under the Configuration panel, check the status of Storage Encryption.
  6. If the current status is set to Disabled, data-at-rest encryption is not enabled for the selected RDS database instance.
  7. If the current status is set to Enabled, and the KMS key alias is “ aws/rds ” then the selected instance is encrypted using default KMS keys.
  8. Repeat steps no. 4 – 7 for each RDS instance provisioned in the current region as well as in other AWS regions.


Steps for remediation :

  1. Sign in to your AWS management console.
  2. Navigate to the IAM dashboard at: https://console.aws.amazon.com/iam/
  3. In the left navigation panel, click Encryption Keys.
  4. Create your own KMS Custom Master Key for the encryption of data-at-rest for the RDS database instances. 
  5. Navigate to the RDSdashboard at: https://console.aws.amazon.com/rds/
  6. On the left navigation panel, under RDS Dashboard, select Databases.
  7. Select the RDS instance that you want to examine.
  8. Click the Actions button from the dashboard top menu and select Take Snapshot.
  9. On the Take DB Snapshot page that appears, enter the Snapshot name and click on Take Snapshot.
  10. Open the newly created snapshot, click on Actions, and select Copy Snapshot.
  11. Make Copy of DB Snapshot page appears, perform the following actions: 
    1. In the New DB Snapshot Identifier field, enter a name for the new snapshot (copy).
    2. Select the Copy Tags so the new snapshot can have the same tags as the source snapshot.
    3. From the Master Key dropdown list, select Enter a key ARN to provide your own CMK ARN .

  12. Click Copy Snapshot to create an encrypted copy of the selected instance snapshot.
  13. Open the new copy screenshot, click on Actions, and select Restore Snapshot.
  14. This will restore the encrypted snapshot to a new database instance.
  15. On the Restore Snapshot page that appears, enter a unique name in the DB Instance Identifier field.
  16. Review the instance configuration details and click Restore DB Instance.
  17. As soon as the new instance provisioning process is completed (its status becomes available), you can update your application configuration to refer to the endpoint of the new (KMS CMK encrypted) database instance. Once the database endpoint is changed at your application level, you can remove the instance which was encrypted using default KMS keys.
  18. Repeat steps no. 4 – 15 for each RDS instance encrypted using default KMS keys provisioned in the current region as well as in other AWS regions.




References: