AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Database-tier KMS Key Should Be In Use
More Info:
There should be one Amazon KMS Customer Master Key (CMK) created in your AWS account for the database tier in order to protect data-at-rest available within your AWS web stack, have full control over encryption/decryption process, and meet security and compliance requirements.
Risk Level
Low
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
The remediation steps for “Database-tier KMS Key Should Be In Use” in AWS using the AWS console are as follows:
- Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
- In the navigation pane, choose “Encryption”.
- Select the DB instance that you want to encrypt.
- Click on the “Modify” button.
- In the “Encryption” section, choose “Yes” for the “Encrypt this DB instance” option.
- Select the KMS key that you want to use for encryption in the “KMS key ID” drop-down list.
- Click on the “Continue” button.
- Review the changes and click on the “Modify DB instance” button to apply the changes.
After completing these steps, the database-tier KMS key will be in use, and the misconfiguration will be remediated.
To remediate the “Database-tier KMS Key Should Be In Use” misconfiguration in AWS using AWS CLI, follow these steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to list all the RDS instances in your AWS account:
aws rds describe-db-instances
-
Identify the RDS instance that has the misconfiguration.
-
Run the following command to modify the RDS instance to use a KMS key:
aws rds modify-db-instance --db-instance-identifier <your-db-instance-identifier> --kms-key-id <your-kms-key-id>
Replace <your-db-instance-identifier> with the name of your RDS instance and <your-kms-key-id> with the ID of the KMS key that you want to use.
- Verify that the RDS instance is now using the KMS key by running the following command:
aws rds describe-db-instances --db-instance-identifier <your-db-instance-identifier> | grep KmsKeyId
This command should return the ID of the KMS key that you specified in step 4.
- Repeat steps 4 and 5 for all the RDS instances that have the misconfiguration.
To remediate the “Database-tier KMS Key Should Be In Use” misconfiguration in AWS using Python, you can follow these steps:
-
Identify the RDS instances that are not using a KMS key for encryption.
-
Use the AWS SDK for Python (Boto3) to modify the RDS instances to use a KMS key for encryption.
Here is the Python code to accomplish this:
import boto3
# Create an RDS client
rds = boto3.client('rds')
# Get a list of all RDS instances
instances = rds.describe_db_instances()
# Loop through each instance and check if it is using a KMS key for encryption
for instance in instances['DBInstances']:
if 'KmsKeyId' not in instance:
# If the instance is not using a KMS key, modify it to use one
rds.modify_db_instance(
DBInstanceIdentifier=instance['DBInstanceIdentifier'],
KmsKeyId='your_kms_key_id_here'
)
Replace “your_kms_key_id_here” with the ID of the KMS key that you want to use for encryption.
This code will loop through all RDS instances and modify any instances that are not using a KMS key for encryption to use the specified KMS key.