Data stored in Aurora is unencrypted at rest

ID

aurora_unencrypted_at_rest

Severity

critical

Vendor

AWS

Resource

Aurora

Tags

reachable

Description

Amazon Aurora encrypted DB clusters provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. You can use Amazon Aurora encryption to increase data protection of your applications deployed in the cloud, and to fulfill compliance requirements for encryption at rest.

For an Amazon Aurora encrypted DB cluster, all DB instances, logs, backups, and snapshots are encrypted. You can also encrypt a read replica of an Amazon Aurora encrypted cluster. Amazon Aurora uses an AWS KMS key to encrypt these resources

if the engine_mode is serverless, the DB cluster is encrypted by default.

Read AWS' Encrypting Amazon Aurora resources and Terraform’s aws_rds_cluster_encrypted encryption configuration for full details.

Examples

CloudFormation

{
  "Resources": {
    "Aurora": { (1)
      "Type": "AWS::RDS::DBCluster",
      "Properties": {
        "DatabaseName": "mydb",
        "Engine": "aurora"
      }
    }
  }
}
1 No StorageEncrypted attribute means no encryption. 
Resources:
  Aurora: (1)
    Type: 'AWS::RDS::DBCluster'
    Properties:
      DatabaseName: 'mydb'
      Engine: 'aurora'
1 No StorageEncrypted attribute means no encryption.

Terraform

resource "aws_rds_cluster" "my_RDS" { (1)
  cluster_identifier      = "aurora-cluster-demo"
  engine                  = "aurora-mysql"
  engine_version          = "5.7.mysql_aurora.2.03.2"
  availability_zones      = ["us-west-2a", "us-west-2b", "us-west-2c"]
  database_name           = "mydb"
  master_username         = "foo"
  master_password         = "bar"
  backup_retention_period = 5
  preferred_backup_window = "07:00-09:00"
}
1 No storage_encrypted attribute means no encryption.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "Aurora": { (1)
      "Type": "AWS::RDS::DBCluster",
      "Properties": {
        "DatabaseName": "mydb",
        "Engine": "aurora",
        "StorageEncrypted": true
      }
    }
  }
}
1 Add StorageEncrypted: true to enable at rest encryption for the Aurora cluster. 
Resources:
  Aurora: (1)
    Type: 'AWS::RDS::DBCluster'
    Properties:
      DatabaseName: 'mydb'
      Engine: 'aurora',
      StorageEncrypted: true
1 Add StorageEncrypted: true to enable at rest encryption for the Aurora cluster.

Terraform

Simply add storage_encrypted = true to enable at rest encryption for the Aurora cluster.

resource "aws_rds_cluster" "my_RDS" {
    cluster_identifier      = "aurora-cluster-demo"
    engine                  = "aurora-mysql"
    engine_version          = "5.7.mysql_aurora.2.03.2"
    availability_zones      = ["us-west-2a", "us-west-2b", "us-west-2c"]
    database_name           = "mydb"
    master_username         = "foo"
    master_password         = "bar"
    backup_retention_period = 5
    preferred_backup_window = "07:00-09:00"
    storage_encrypted       = true // FIXED
}