Using unencrypted RDS DB resources exposes data to unauthorized access.
This includes database data, logs, automatic backups, read replicas, snapshots, and cluster metadata.

This situation can occur in a variety of scenarios, such as:

• A malicious insider working at the cloud provider gains physical access to the storage device.
• Unknown attackers penetrate the cloud provider’s logical infrastructure and systems.

After a successful intrusion, the underlying applications are exposed to:

• theft of intellectual property and/or personal data
• extortion
• denial of services and security bypasses via data corruption or deletion

AWS-managed encryption at rest reduces this risk with a simple switch.

Ask Yourself Whether

• The database contains sensitive data that could cause harm when leaked.
• There are compliance requirements for the service to store data encrypted.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is recommended to enable encryption at rest on any RDS DB resource, regardless of the engine.
In any case, no further maintenance is required as encryption at rest is fully managed by AWS.

Sensitive Code Example

For AWS::RDS::DBInstance and AWS::RDS::DBCluster:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  DatabaseInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      StorageEncrypted: false  # Sensitive, disabled by default
  DatabaseCluster:
    Type: AWS::RDS:DBCluster
    Properties:
      StorageEncrypted: false  # Sensitive, disabled by default

Compliant Solution

For AWS::RDS::DBInstance and AWS::RDS::DBCluster:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  DatabaseInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      StorageEncrypted: true
  DatabaseCluster:
    Type: AWS::RDS:DBCluster
    Properties:
      StorageEncrypted: false  # Sensitive, disabled by default

See

• AWS Documentation - Encrypting Amazon RDS resources
• MITRE, CWE-311 - Missing Encryption of Sensitive Data