Unencrypted Snapshots contain data at rest in plain text and forfeit additional data controls available from AWS KMS
AWS RDS provides databases as a service, managing both the database software layer and the underlying infrastructure. As part of this service, certain aspects of infrastructure and software management, such as your database’s backups are provided as part of the RDS service. If using RDS snapshots as a database backup then encryption for data stored on the backups must be configured using RDS settings.
As snapshots are a copy of the whole RDS database at a point in time the data it’s important to ensure that the snapshot itself is encrypted as without encryption all the data on the snapshot is essentially stored in plain text. By encrypting the snapshot the data is incomprehensible unless decrypted by the AWS KMS keys used to encrypt the snapshot. Even if the raw data blocks were stolen or compromised, the data would remain unreadable without access and specific decryption permissions to the AWS KMS keys used for encryption.
In addition to protecting snapshots that may be copied or accessed by unauthorised parties, enabling encryption at rest ties your stored data to an AWS KMS key that you control. AWS KMS keys come with advanced and flexible policies compared to RDS and database permissions, allowing you to define and enforce granular access and usage controls. These policies can govern access not only within a single AWS account but also across accounts, roles, departments, and even specific services.
For snapshots that are unencypted it’s important to also check that they have not been shared publicly. Public sharing for unencrypted snapshots is a serious data compromise and needs to be discovered and managed as soon as possible.
For snapshots that are unshared but simply not encrypted the remediation can be simple or more involved depending on the data stored on the snapshot.
For business-as-usual data such as automated backups it’s possible to simply update the backup policy to utilise an encryption key and allow the unencrypted backups to fall off over time. This may require some attention to ensure that unencrypted backups are cleaned up appropriately and have been suitably replaced by new encrypted snapshots.
For snapshots that contain specific data that will not be relegated over time, a different process should be followed where a new RDS database is created using the snapshot as a base and once running a new encrypted snapshot created from the running database. As snapshots cannot be encrypted in place it’s necessary to restore the data to a running database and recreate the snapshot as per this process.
Encryption policies need to match your organisation’s policies and procedures, therefore there is no one size fits all policy that can satisfy all workflows, policies, insurers, operational teams and other stakeholders. Guidance in this area is a great benefit and something we’re happy to advice on:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
