Triage and Remediation
Remediation
Using Console
Using Console
The remediation steps for “Database-tier KMS Key Should Be In Use” in AWS using the AWS console are as follows:
- Open the Amazon RDS console at https://console.aws.amazon.com/rds/.
- In the navigation pane, choose “Encryption”.
- Select the DB instance that you want to encrypt.
- Click on the “Modify” button.
- In the “Encryption” section, choose “Yes” for the “Encrypt this DB instance” option.
- Select the KMS key that you want to use for encryption in the “KMS key ID” drop-down list.
- Click on the “Continue” button.
- Review the changes and click on the “Modify DB instance” button to apply the changes.
Using CLI
Using CLI
To remediate the “Database-tier KMS Key Should Be In Use” misconfiguration in AWS using AWS CLI, follow these steps:Replace This command should return the ID of the KMS key that you specified in step 4.
- Open the AWS CLI on your local machine.
- Run the following command to list all the RDS instances in your AWS account:
- Identify the RDS instance that has the misconfiguration.
- Run the following command to modify the RDS instance to use a KMS key:
<your-db-instance-identifier> with the name of your RDS instance and <your-kms-key-id> with the ID of the KMS key that you want to use.- Verify that the RDS instance is now using the KMS key by running the following command:
- Repeat steps 4 and 5 for all the RDS instances that have the misconfiguration.
Using Python
Using Python
To remediate the “Database-tier KMS Key Should Be In Use” misconfiguration in AWS using Python, you can follow these steps:Replace “your_kms_key_id_here” with the ID of the KMS key that you want to use for encryption.This code will loop through all RDS instances and modify any instances that are not using a KMS key for encryption to use the specified KMS key.
- Identify the RDS instances that are not using a KMS key for encryption.
- Use the AWS SDK for Python (Boto3) to modify the RDS instances to use a KMS key for encryption.