Ensure AWS RDS DB cluster encryption is enabled

Error: AWS RDS DB cluster encryption is disabled

Bridgecrew Policy ID: BC_AWS_GENERAL_4
Checkov Check ID: CKV_AWS_16
Severity: HIGH

AWS RDS DB cluster encryption is disabled


AWS RDS is a managed DB service enabling quick deployment and management of MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server DB engines. Native RDS encryption helps protect your cloud applications and fulfils compliance requirements for data-at-rest encryption.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon RDS console.
  3. Click Snapshots.
  4. Select the snapshot that you want to encrypt.
  5. Navigate to Snapshot Actions, select Copy Snapshot.
  6. Select the Destination Region, then enter your New DB Snapshot Identifier.
  7. Set Enable Encryption to Yes.
  8. Select the Master Key from the list, then select Copy Snapshot.

CLI Command

If you use the create-db-instance AWS CLI command to create an encrypted DB instance, set the --storage-encrypted parameter to true. If you use the CreateDBInstance API operation, set the StorageEncrypted parameter to true.

aws rds create-db-instance \
    --db-instance-identifier test-mysql-instance \
    --db-instance-class db.t3.micro \
    --engine mysql \
    --master-username admin \
    --master-user-password secret99 \
    --allocated-storage 20
    --storage-encrypted true

Fix - Buildtime


  • Resource: aws_db_instance
  • Argument: storage_encrypted - Specifies whether the DB instance is encrypted.
resource "aws_db_instance" "example" {
  name                 = "mydb"
+ storage_encrypted    = true 


  • Resource: AWS::RDS::DBInstance
  • Argument: Properties.StorageEncrypted
    Type: 'AWS::RDS::DBInstance'
+     StorageEncrypted: true