More Info:

There should be one Amazon KMS Customer Master Key (CMK) created in your AWS account for the database tier in order to protect data-at-rest available within your AWS web stack, have full control over encryption/decryption process, and meet security and compliance requirements.

Risk Level

Low

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

The remediation steps for “Database-tier KMS Key Should Be In Use” in AWS using the AWS console are as follows:
  1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
  2. In the navigation pane, choose “Encryption”.
  3. Select the DB instance that you want to encrypt.
  4. Click on the “Modify” button.
  5. In the “Encryption” section, choose “Yes” for the “Encrypt this DB instance” option.
  6. Select the KMS key that you want to use for encryption in the “KMS key ID” drop-down list.
  7. Click on the “Continue” button.
  8. Review the changes and click on the “Modify DB instance” button to apply the changes.
After completing these steps, the database-tier KMS key will be in use, and the misconfiguration will be remediated.

To remediate the “Database-tier KMS Key Should Be In Use” misconfiguration in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to list all the RDS instances in your AWS account:
aws rds describe-db-instances
  1. Identify the RDS instance that has the misconfiguration.
  2. Run the following command to modify the RDS instance to use a KMS key:
aws rds modify-db-instance --db-instance-identifier <your-db-instance-identifier> --kms-key-id <your-kms-key-id>
Replace <your-db-instance-identifier> with the name of your RDS instance and <your-kms-key-id> with the ID of the KMS key that you want to use.
  1. Verify that the RDS instance is now using the KMS key by running the following command:
aws rds describe-db-instances --db-instance-identifier <your-db-instance-identifier> | grep KmsKeyId
This command should return the ID of the KMS key that you specified in step 4.
  1. Repeat steps 4 and 5 for all the RDS instances that have the misconfiguration.
To remediate the “Database-tier KMS Key Should Be In Use” misconfiguration in AWS using Python, you can follow these steps:
  1. Identify the RDS instances that are not using a KMS key for encryption.
  2. Use the AWS SDK for Python (Boto3) to modify the RDS instances to use a KMS key for encryption.
Here is the Python code to accomplish this:
import boto3

# Create an RDS client
rds = boto3.client('rds')

# Get a list of all RDS instances
instances = rds.describe_db_instances()

# Loop through each instance and check if it is using a KMS key for encryption
for instance in instances['DBInstances']:
    if 'KmsKeyId' not in instance:
        # If the instance is not using a KMS key, modify it to use one
        rds.modify_db_instance(
            DBInstanceIdentifier=instance['DBInstanceIdentifier'],
            KmsKeyId='your_kms_key_id_here'
        )
Replace “your_kms_key_id_here” with the ID of the KMS key that you want to use for encryption.This code will loop through all RDS instances and modify any instances that are not using a KMS key for encryption to use the specified KMS key.

Additional Reading: