lacework-global-171
Ensure RDS database is encrypted with customer managed KMS key
Description
It is recommended that an AWS Relational Database Service (RDS) Database is always encrypted with a customer managed KMS key.
Remediation
Log in to the AWS Management Console.
Navigate to https://console.aws.amazon.com/kms/
Click Create a key.
Select Key type.
If Symmetric, expand Advanced options and select KMS.
If Asymmetric, under Key usage, select Encrypt and decrypt, and choose the Key spec.
Complete the remaining configuration steps to add labels, and define key administrative permissions and key usage permissions.
Click Finish.
Navigate to https://console.aws.amazon.com/rds/
In the left navigation panel, click on Databases.
Select the Database instance that needs to be encrypted.
Click on Actions button placed at the top right and select Take Snapshot.
On the Take Snapshot page, enter a name for the snapshot in the Snapshot Name field and click on Take Snapshot.
Select the snapshot, select Actions and select Copy snapshot.
On the Copy snapshot page, perform the following:
In the New DB Snapshot Identifier field, Enter a name for the new snapshot.
Check Copy Tags, New snapshot must have the same tags as the source snapshot.
Check Enable Encryption, and choose the KMS key you just created from the AWS KMS dropdown.
Click Copy Snapshot to create an encrypted copy of the selected instance snapshot.
Select the new Snapshot Encrypted Copy and click Action, select Restore Snapshot.
On the Restore snapshot page, enter a unique name for the new database instance in the DB Instance Identifier field.
Review the instance configuration details and click Restore DB Instance.
When the new instance provisioning process is completed, you can update application configuration to refer to the endpoint of the new Encrypted database instance. Once the database endpoint is changed at the application level, you can remove the unencrypted instance.