Ensure AWS RDS DB snapshot uses Customer Managed Keys (CMKs)

Error: AWS RDS DB snapshot does not use Customer Managed Keys (CMKs)

Bridgecrew Policy ID: BC_AWS_GENERAL_180
Checkov Check ID: CKV_AWS_266
Severity: LOW

AWS RDS DB snapshot does not use Customer Managed Keys (CMKs)

Description

This policy identifies database snapshots that were not encrypted with KMS. It is a best practice to manage your own encryption keys for all storage volumes and snapshots.

Fix - Runtime

Changing the encryption method cannot be done for existing snapshots. Instead, create a new snapshot and add the CMK encryption.

  1. Open the Amazon RDS console.
  2. In the navigation pane, choose Databases.
  3. Choose the DB instance for which you want to create a manual snapshot.
  4. Create a manual snapshot for your DB instance.
  5. In the navigation pane, choose Snapshots.
  6. Select the manual snapshot that you created.
  7. Choose Actions, and then choose Copy Snapshot.
  8. Under Encryption, select Enable Encryption.
  9. For AWS KMS Key, choose the new encryption key that you want to use.
  10. Choose Copy snapshot.
  11. Restore the copied snapshot.

Fix - Buildtime

Terraform

  • Resource: aws_db_snapshot_copy
  • Argument: kms_key_id
resource "aws_db_snapshot_copy" "pass" {
  source_db_snapshot_identifier = aws_db_snapshot.example.db_snapshot_arn
  target_db_snapshot_identifier = "testsnapshot1234-copy"
+  kms_key_id= aws_kms_key.example.id
}