Ensure all data stored in Aurora is securely encrypted at rest

Error: Not all data stored in Aurora is securely encrypted at rest

Bridgecrew Policy ID: BC_AWS_GENERAL_38
Checkov Check ID: CKV_AWS_96
Severity: HIGH

Not all data stored in Aurora is securely encrypted at rest

Description

This policy examines the resource aws_rds_cluster to check that encryption is set up. The property storage_encrypted is examined.

Fix - Runtime

AWS Console

TBA

CLI Command

Fix - Buildtime

Terraform

  • Resource: aws_rds_cluster
  • Argument: storage_encrypted
resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

CloudFormation

  • Resource: AWS::RDS::DBCluster
  • Argument: Properties.StorageEncrypted
Resources:
  Aurora:
    Type: 'AWS::RDS::DBCluster'
    Properties:
      ...
      Engine: 'aurora'
+     StorageEncrypted: true
			...