Ensure AWS RDS DB snapshot uses Customer Managed Keys (CMKs)
Error: AWS RDS DB snapshot does not use Customer Managed Keys (CMKs)
Bridgecrew Policy ID: BC_AWS_GENERAL_180
Checkov Check ID: CKV_AWS_266
Severity: LOW
AWS RDS DB snapshot does not use Customer Managed Keys (CMKs)
Description
This policy identifies database snapshots that were not encrypted with KMS. It is a best practice to manage your own encryption keys for all storage volumes and snapshots.
Fix - Runtime
Changing the encryption method cannot be done for existing snapshots. Instead, create a new snapshot and add the CMK encryption.
- Open the Amazon RDS console.
- In the navigation pane, choose Databases.
- Choose the DB instance for which you want to create a manual snapshot.
- Create a manual snapshot for your DB instance.
- In the navigation pane, choose Snapshots.
- Select the manual snapshot that you created.
- Choose Actions, and then choose Copy Snapshot.
- Under Encryption, select Enable Encryption.
- For AWS KMS Key, choose the new encryption key that you want to use.
- Choose Copy snapshot.
- Restore the copied snapshot.
Fix - Buildtime
Terraform
- Resource: aws_db_snapshot_copy
- Argument: kms_key_id
resource "aws_db_snapshot_copy" "pass" {
source_db_snapshot_identifier = aws_db_snapshot.example.db_snapshot_arn
target_db_snapshot_identifier = "testsnapshot1234-copy"
+ kms_key_id= aws_kms_key.example.id
}
Updated 10 months ago