Using unencrypted RDS DB resources exposes data to unauthorized access to the underlying storage.
This includes database data, logs, automatic
backups, read replicas, snapshots, and cluster metadata.
This situation can occur in a variety of scenarios, such as:
AWS-managed encryption at rest reduces this risk with a simple switch.
There is a risk if you answered yes to any of those questions.
It is recommended to enable encryption at rest on any RDS DB resource, regardless of the engine.
In any case, no further maintenance is
required as encryption at rest is fully managed by AWS.
For aws_cdk.aws_rds.DatabaseCluster and aws_cdk.aws_rds.DatabaseInstance:
from aws_cdk import (
aws_rds as rds
)
class DatabaseStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
rds.DatabaseCluster( # Sensitive, unencrypted by default
self,
"example"
)
For aws_cdk.aws_rds.CfnDBCluster and aws_cdk.aws_rds.CfnDBInstance:
from aws_cdk import (
aws_rds as rds
)
class DatabaseStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
rds.CfnDBCluster( # Sensitive, unencrypted by default
self,
"example"
)
For aws_cdk.aws_rds.DatabaseCluster and aws_cdk.aws_rds.DatabaseInstance:
from aws_cdk import (
aws_rds as rds
)
class DatabaseStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
rds.DatabaseCluster(
self,
"example",
storage_encrypted=True
)
For aws_cdk.aws_rds.CfnDBCluster and aws_cdk.aws_rds.CfnDBInstance:
from aws_cdk import (
aws_rds as rds
)
class DatabaseStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
rds.CfnDBCluster(
self,
"example",
storage_encrypted=True
)