AWS RDS DB snapshot does not use Customer Managed Keys (CMKs)

Description

This policy identifies database snapshots that were not encrypted with KMS. It is a best practice to manage your own encryption keys for all storage volumes and snapshots.

Fix - Runtime

Changing the encryption method cannot be done for existing snapshots. Instead, create a new snapshot and add the CMK encryption.

1. Open the Amazon RDS console.
2. In the navigation pane, choose Databases.
3. Choose the DB instance for which you want to create a manual snapshot.
4. Create a manual snapshot for your DB instance.
5. In the navigation pane, choose Snapshots.
6. Select the manual snapshot that you created.
7. Choose Actions, and then choose Copy Snapshot.
8. Under Encryption, select Enable Encryption.
9. For AWS KMS Key, choose the new encryption key that you want to use.
10. Choose Copy snapshot.
11. Restore the copied snapshot.

Fix - Buildtime

Terraform

• Resource: aws_db_snapshot_copy
• Argument: kms_key_id

resource "aws_db_snapshot_copy" "pass" {
  source_db_snapshot_identifier = aws_db_snapshot.example.db_snapshot_arn
  target_db_snapshot_identifier = "testsnapshot1234-copy"
+  kms_key_id= aws_kms_key.example.id
}