Summary Prerequisites and limitations Architecture Tools Best practices Epics Related resources Additional information

Automatically remediate unencrypted Amazon RDS DB instances and clusters

Created by Ajay Rawat (AWS) and Josh Joy (AWS)

Environment: PoC or pilot

Technologies: Security, identity, compliance; Databases

AWS services: AWS Config; AWS KMS; AWS Identity and Access Management; AWS Systems Manager; Amazon RDS

Summary

This pattern describes how to automatically remediate unencrypted Amazon Relational Database Service (Amazon RDS) DB instances and clusters on Amazon Web Services (AWS) by using AWS Config, AWS Systems Manager runbooks, and AWS Key Management Service (AWS KMS) keys.

Encrypted RDS DB instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. You can use Amazon RDS encryption to increase data protection of your applications deployed in the AWS Cloud, and to fulfill compliance requirements for encryption at rest. You can enable encryption for an RDS DB instance when you create it, but not after it's created. However, you can add encryption to an unencrypted RDS DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance.

This pattern uses AWS Config rules to evaluate RDS DB instances and clusters. It applies remediation by using AWS Systems Manager runbooks, which define the actions to be performed on noncompliant Amazon RDS resources, and AWS KMS keys to encrypt the DB snapshots. It then enforces service control policies (SCPs) to prevent the creation of new DB instances and clusters without encryption.

The code for this pattern is provided in GitHub.

Prerequisites and limitations

Prerequisites

An active AWS account
Files from the GitHub source code repository for this pattern downloaded to your computer
An unencrypted RDS DB instance or cluster
An existing AWS KMS key for encrypting RDS DB instances and clusters
Access to update the KMS key resource policy
AWS Config enabled in your AWS account (see Getting Started with AWS Config in the AWS documentation)

Limitations

You can enable encryption for an RDS DB instance only when you create it, not after it has been created.
You can't have an encrypted read replica of an unencrypted DB instance or an unencrypted read replica of an encrypted DB instance.
You can't restore an unencrypted backup or snapshot to an encrypted DB instance.
Amazon RDS encryption is available for most DB instance classes. For a list of exceptions, see Encrypting Amazon RDS resources in the Amazon RDS documentation.
To copy an encrypted snapshot from one AWS Region to another, you must specify the KMS key in the destination AWS Region. This is because KMS keys are specific to the AWS Region that they are created in.
The source snapshot remains encrypted throughout the copy process. Amazon RDS uses envelope encryption to protect data during the copy process. For more information, see Envelope encryption in the AWS KMS documentation.
You can't unencrypt an encrypted DB instance. However, you can export data from an encrypted DB instance and import the data into an unencrypted DB instance.
You should delete a KMS key only when you are sure that you don't need to use it any longer. If you aren't sure, consider disabling the KMS key instead of deleting it. You can reenable a disabled KMS key if you need to use it again later, but you cannot recover a deleted KMS key.
If you don't choose to retain automated backups, your automated backups that are in the same AWS Region as the DB instance are deleted. They can't be recovered after you delete the DB instance.
Your automated backups are retained for the retention period that is set on the DB instance at the time you delete it. This set retention period occurs whether or not you choose to create a final DB snapshot.
If automatic remediation is enabled, this solution encrypts all databases that have the same KMS key.

Architecture

The following diagram illustrates the architecture for the AWS CloudFormation implementation. Note that you can also implement this pattern by using the AWS Cloud Development Kit (AWS CDK).

AWS CloudFormation implementation for remediating unencrypted Amazon RDS instances.

Tools

Tools

AWS CloudFormation helps you automatically set up your AWS resources. It enables you to use a template file to create and delete a collection of resources together as a single unit (a stack).
AWS Cloud Development Kit (AWS CDK) is a software development framework for defining your cloud infrastructure in code and provisioning it by using familiar programming languages.

AWS services and features

AWS Config keeps track of the configuration of your AWS resources and their relationships to your other resources. It can also evaluate those AWS resources for compliance. This service uses rules that can be configured to evaluate AWS resources against desired configurations. You can use a set of AWS Config managed rules for common compliance scenarios, or you can create your own rules for custom scenarios. When an AWS resource is found to be noncompliant, you can specify a remediation action through an AWS Systems Manager runbook and optionally send an alert through an Amazon Simple Notification Service (Amazon SNS) topic. In other words, you can associate remediation actions with AWS Config rules and choose to run them automatically to address noncompliant resources without manual intervention. If a resource is still noncompliant after automatic remediation, you can set the rule to try automatic remediation again.
Amazon Relational Database Service (Amazon RDS) makes it easier to set up, operate, and scale a relational database in the cloud. The basic building block of Amazon RDS is the DB instance, which is an isolated database environment in the AWS Cloud. Amazon RDS provides a selection of instance types that are optimized to fit different relational database use cases. Instance types comprise various combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your database. Each instance type includes several instance sizes, allowing you to scale your database to the requirements of your target workload.
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control AWS KMS keys, which encrypt your data. A KMS key is a logical representation of a root key. The KMS key includes metadata, such as the key ID, creation date, description, and key state.
AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
Service control policies (SCPs) offer central control over the maximum available permissions for all accounts in your organization. SCPs help you ensure that your accounts stay within your organization’s access control guidelines. SCPs don't affect users or roles in the management account. They affect only the member accounts in your organization. We strongly recommend that you don't attach SCPs to the root of your organization without thoroughly testing the impact that the policy has on accounts. Instead, create an organizational unit (OU) that you can move your accounts into one at a time, or at least in small numbers, to ensure that you don't inadvertently lock users out of key services.

Code

The source code and templates for this pattern are available in a GitHub repository. The pattern provides two implementation options: You can deploy an AWS CloudFormation template to create the remediation role that encrypts RDS DB instances and clusters, or use the AWS CDK. The repository has separate folders for these two options.

The Epics section provides step-by-step instructions for deploying the CloudFormation template. If you want to use the AWS CDK, follow the instructions in the README.md file in the GitHub repository.

Best practices

Enable data encryption both at rest and in transit.
Enable AWS Config in all accounts and AWS Regions.
Record configuration changes to all resource types.
Rotate your IAM credentials regularly.
Leverage tagging for AWS Config, which makes is easier to manage, search for, and filter resources.

Epics

Task	Description	Skills required
Download the CloudFormation template.	Download the `unencrypted-to-encrypted-rds.template.json` file from the GitHub repository.	DevOps engineer
Create the CloudFormation stack.	Sign in to the AWS Management Console and open the CloudFormation console at https://console.aws.amazon.com/cloudformation/. Launch the `unencrypted-to-encrypted-rds.template.json` template to create a new stack. For more information about deploying templates, see the AWS CloudFormation documentation.	DevOps engineer
Review CloudFormation parameters and values.	Review stack details and update values based on your environment requirements. Choose Create stack to deploy the template.	DevOps engineer
Review the resources.	When the stack has been created, its status changes to CREATE_COMPLETE. Review the created resources (IAM role, AWS Systems Manager runbook) in the CloudFormation console.	DevOps engineer

Task Description Skills required

Task	Description	Skills required
Update your KMS key policy.	Make sure that the key alias `alias/RDSEncryptionAtRestKMSAlias` exists. The key policy statement should include the IAM remediation role. (Check the resources created by the CloudFormation template you deployed in the previous epic.) In the following key policy, update the portions that are in bold to match your account and the IAM role that was created. { "Sid": "Allow access through RDS for all principals in the account that are authorized to use RDS", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:: <your-AWS-account-ID>”:role/<your-IAM-remediation-role>" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:CreateGrant", "kms:ListGrants", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "rds.us-east-1.amazonaws.com", "kms:CallerAccount": "<your-AWS-account-ID>" } } }	DevOps engineer

Update your KMS key policy.

Make sure that the key alias alias/RDSEncryptionAtRestKMSAlias exists.
The key policy statement should include the IAM remediation role. (Check the resources created by the CloudFormation template you deployed in the previous epic.)
In the following key policy, update the portions that are in bold to match your account and the IAM role that was created.


{
    "Sid": "Allow access through RDS for all principals in the account that are authorized to use RDS",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam:: <your-AWS-account-ID>”:role/<your-IAM-remediation-role>"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:DescribeKey"
    ],
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "kms:ViaService": "rds.us-east-1.amazonaws.com",
            "kms:CallerAccount": "<your-AWS-account-ID>"
        }
    }
}

DevOps engineer

Task	Description	Skills required
View noncompliant resources.	To view a list of noncompliant resources, open the AWS Config console at https://console.aws.amazon.com/config/. In the navigation pane, choose Rules, and then choose the `rds-storage-encrypted` rule. The noncompliant resources listed in the AWS Config console will be instances, not clusters. The remediation automation encrypts instances and clusters, and creates either a newly encrypted instance or a newly created cluster. However, be sure not to simultaneously remediate multiple instances that belong to the same cluster. Before you remediate any RDS DB instances or volumes, make sure that the RDS DB instance is not in use. Confirm that there are no write operations occurring while the snapshot is being created, to ensure that the snapshot contains the original data. Consider enforcing a maintenance window during which the remediation will run.	DevOps engineer
Remediate noncompliant resources.	When you are ready and the maintenance window is in effect, choose the resource to remediate, and then choose Remediate. The Action status column should now display Action execution queued. View the progress and status of the remediation in Systems Manager. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/. In the navigation pane, choose Automation, and then select the execution ID of the corresponding automation to view further details.	DevOps engineer
Verify that the RDS DB instance is available.	After the automation completes, the newly encrypted RDS DB instance will become available. The encrypted RDS DB instance will have the prefix `encrypted` followed by the original name. For example, if the unencrypted RDS DB instance name was `database-1`, the newly encrypted RDS DB instance would be `encrypted-database-1`.	DevOps engineer
Terminate the unencrypted instance.	After remediation is complete and the newly encrypted resource has been validated, you can terminate the unencrypted instance. Make sure to confirm that the newly encrypted resource matches the unencrypted resource before you terminate any resources.	DevOps engineer

Task	Description	Skills required
Enforce SCPs.	Enforce SCPs to prevent DB instances and clusters from being created without encryption in the future. Use the `rds_encrypted.json` file that’s provided in the GitHub repository for this purpose, and follow the instructions in the AWS documentation.	Security engineer

Related resources

References

Tools

Guides and patterns

Automatically re-enable AWS CloudTrail by using a custom remediation rule in AWS Config

Additional information

FAQ

Q. How does AWS Config work?

A. When you turn on AWS Config, it first discovers the supported AWS resources that exist in your account and generates a configuration item for each resource. AWS Config also generates configuration items when the configuration of a resource changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder. By default, AWS Config creates configuration items for every supported resource in the AWS Region. If you don't want AWS Config to create configuration items for all supported resources, you can specify the resource types that you want it to track.

Q. How are AWS Config and AWS Config rules related to AWS Security Hub?

A. AWS Security Hub is a security and compliance service that provides security and compliance posture management as a service. It uses AWS Config and AWS Config rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config rules can also be used to evaluate resource configuration directly. Config rules are also used by other AWS services, such AWS Control Tower and AWS Firewall Manager.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Automatically re-enable AWS CloudTrail using security best practices

Automatically rotate IAM user access keys