Ensure RDS Snapshots Are Encrypted
Overview
This check verifies that your Amazon RDS database snapshots (both DB instance snapshots and Aurora cluster snapshots) are encrypted at rest using AWS KMS keys. Encryption protects your backup data from unauthorized access.
Risk
Unencrypted RDS snapshots can expose sensitive data if:
- Snapshots are accidentally shared with unauthorized AWS accounts
- An attacker gains access to your AWS account
- Backups are accessed through other means, bypassing network controls
This can lead to data breaches, compliance violations, and regulatory penalties under frameworks like HIPAA, PCI DSS, GDPR, and SOC 2.
Remediation Steps
Prerequisites
- AWS account access with permissions to manage RDS snapshots and KMS keys
- An existing KMS key (or permission to use the default
aws/rdskey)
Required IAM permissions
Your IAM user or role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBSnapshots",
"rds:DescribeDBClusterSnapshots",
"rds:CopyDBSnapshot",
"rds:CopyDBClusterSnapshot",
"rds:DeleteDBSnapshot",
"rds:DeleteDBClusterSnapshot"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "<your-kms-key-arn>"
}
]
}
AWS Console Method
Important: You cannot directly encrypt an existing unencrypted snapshot. Instead, you must copy the snapshot and enable encryption during the copy operation.
- Open the Amazon RDS console
- In the left navigation, click Snapshots
- Select the unencrypted snapshot you want to encrypt
- Click Actions, then select Copy snapshot
- Enter a new DB snapshot identifier (e.g.,
my-snapshot-encrypted) - Under Encryption, check Enable Encryption
- Select a KMS key (use the default
aws/rdskey or a customer-managed key) - Click Copy snapshot
- Wait for the new encrypted snapshot to reach the Available state
- Once verified, delete the original unencrypted snapshot (optional but recommended)
AWS CLI
List unencrypted snapshots
# List all DB instance snapshots that are not encrypted
aws rds describe-db-snapshots \
--region us-east-1 \
--query "DBSnapshots[?Encrypted==\`false\`].[DBSnapshotIdentifier,DBInstanceIdentifier,SnapshotCreateTime]" \
--output table
# List all Aurora cluster snapshots that are not encrypted
aws rds describe-db-cluster-snapshots \
--region us-east-1 \
--query "DBClusterSnapshots[?StorageEncrypted==\`false\`].[DBClusterSnapshotIdentifier,DBClusterIdentifier,SnapshotCreateTime]" \
--output table
Copy a DB instance snapshot with encryption
aws rds copy-db-snapshot \
--region us-east-1 \
--source-db-snapshot-identifier <your-snapshot-id> \
--target-db-snapshot-identifier <your-snapshot-id>-encrypted \
--kms-key-id <your-kms-key-id>
Copy an Aurora cluster snapshot with encryption
aws rds copy-db-cluster-snapshot \
--region us-east-1 \
--source-db-cluster-snapshot-identifier <your-cluster-snapshot-id> \
--target-db-cluster-snapshot-identifier <your-cluster-snapshot-id>-encrypted \
--kms-key-id <your-kms-key-id>
Delete the original unencrypted snapshot (after verifying the encrypted copy)
# For DB instance snapshots
aws rds delete-db-snapshot \
--region us-east-1 \
--db-snapshot-identifier <your-original-snapshot-id>
# For Aurora cluster snapshots
aws rds delete-db-cluster-snapshot \
--region us-east-1 \
--db-cluster-snapshot-identifier <your-original-cluster-snapshot-id>
CloudFormation
CloudFormation does not have a native resource type for copying RDS snapshots. To automate snapshot encryption with CloudFormation, you would need to create a Custom Resource backed by a Lambda function.
For most use cases, we recommend using AWS CLI scripts or Terraform for this remediation.
Terraform
Copy a DB instance snapshot with encryption
resource "aws_db_snapshot_copy" "encrypted_snapshot" {
source_db_snapshot_identifier = "rds:my-database-snapshot"
target_db_snapshot_identifier = "my-database-snapshot-encrypted"
kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
tags = {
Name = "encrypted-snapshot"
Environment = "production"
}
}
Copy an Aurora cluster snapshot with encryption
resource "aws_rds_cluster_snapshot_copy" "encrypted_cluster_snapshot" {
source_db_cluster_snapshot_identifier = "rds:my-aurora-cluster-snapshot"
target_db_cluster_snapshot_identifier = "my-aurora-cluster-snapshot-encrypted"
kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
tags = {
Name = "encrypted-cluster-snapshot"
Environment = "production"
}
}
Replace the placeholder values:
source_db_snapshot_identifier: Your existing unencrypted snapshot identifiertarget_db_snapshot_identifier: A new name for the encrypted copykms_key_id: Your KMS key ARN (or usealias/aws/rdsfor the default key)
Verification
After completing the remediation:
- Go to the RDS Snapshots page
- Select your new encrypted snapshot
- In the Configuration tab, verify that Encryption shows Enabled
- Confirm the KMS key ID matches your expected key
CLI verification commands
# Verify a DB instance snapshot is encrypted
aws rds describe-db-snapshots \
--region us-east-1 \
--db-snapshot-identifier <your-encrypted-snapshot-id> \
--query "DBSnapshots[0].[DBSnapshotIdentifier,Encrypted,KmsKeyId]" \
--output table
# Verify an Aurora cluster snapshot is encrypted
aws rds describe-db-cluster-snapshots \
--region us-east-1 \
--db-cluster-snapshot-identifier <your-encrypted-cluster-snapshot-id> \
--query "DBClusterSnapshots[0].[DBClusterSnapshotIdentifier,StorageEncrypted,KmsKeyId]" \
--output table
Additional Resources
- Encrypting Amazon RDS resources
- Copying a DB snapshot
- Copying a DB cluster snapshot
- AWS KMS keys for Amazon RDS
Notes
- Encryption is irreversible: Once a snapshot is encrypted, it cannot be decrypted. Plan accordingly.
- Performance: Copying large snapshots may take significant time depending on size.
- Cross-region copies: When copying to another region, you must specify a KMS key in the destination region.
- Shared snapshots: If you share an encrypted snapshot, the recipient must have access to the KMS key used for encryption.
- Prevention: To prevent this issue in the future, enable encryption on your RDS instances. New snapshots from encrypted instances are automatically encrypted.
- Automatic snapshots: Automated backups inherit encryption settings from the source database. Encrypt the database itself to ensure all future automatic snapshots are encrypted.