Control: 4 RDS cluster snapshots and database snapshots should be encrypted at rest
This control checks whether RDS DB snapshots are encrypted.
This control is intended for RDS DB instances. However, it can also generate findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them.
Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security.
- Open the Amazon RDS console.
- In the navigation pane, choose
- Find the snapshot to encrypt under
- Select the check box next to the snapshot to encrypt.
Actions, then choose
New DB Snapshot Identifier, type a name for the new snapshot.
- Choose the KMS key to use to encrypt the snapshot.
- After the new snapshot is created, delete the original snapshot.
Backup Retention Period, choose a positive nonzero value. For example, 30 days.
steampipe check aws_compliance.control.foundational_security_rds_4
This control uses a named query:rds_db_snapshot_encrypted_at_rest