More Info:

Your RDS database instances should be using KMS CMK customer-managed keys rather than AWS managed-keys in order to have more granular control over your data-at-rest encryption/decryption process.

Risk Level

Medium

Address

Security

Compliance Standards

GDPR, NIST, AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of using AWS-managed keys instead of Customer-Managed Keys for AWS RDS using the AWS console, follow these steps:
  1. Create a Customer-Managed Key (CMK):
    • Go to the AWS Key Management Service (KMS) console.
    • Click on “Create key” to create a new CMK.
    • Choose the key creation method (Symmetric key or Asymmetric key) based on your requirements.
    • Define key administrative permissions and key usage permissions.
    • Click on “Finish” to create the CMK.
  2. Update the RDS Instance to use the Customer-Managed Key:
    • Go to the Amazon RDS console.
    • Select the RDS instance for which you want to update the encryption key.
    • Click on “Modify” to modify the instance settings.
    • In the “Encryption” section, choose the option to encrypt using a Customer-Managed Key.
    • Select the Customer-Managed Key (CMK) that you created in step 1.
    • Click on “Continue” and review the changes.
    • Click on “Modify DB Instance” to apply the changes.
  3. Monitor the Encryption Key Update:
    • Once you have modified the RDS instance to use the Customer-Managed Key, monitor the instance to ensure that the encryption key update is successful.
    • Check the RDS instance status and logs for any errors related to the encryption key update.
    • Verify that the RDS instance is using the Customer-Managed Key for encryption.
By following these steps, you can remediate the misconfiguration of using AWS-managed keys instead of Customer-Managed Keys for AWS RDS using the AWS console.

To remediate the misconfiguration of using AWS-managed keys for AWS RDS instances and switch to using Customer-Managed Keys, you can follow these steps using the AWS CLI:
  1. Create a Customer Managed Key (CMK):
    • Use the AWS Key Management Service (KMS) to create a new Customer Managed Key (CMK) if you don’t already have one.
    • Run the following command to create a CMK:
      aws kms create-key --description "Customer Managed Key for RDS Encryption"
      
    • Note down the KeyId value from the output, as you will need it in the next steps.
  2. Enable encryption with the Customer Managed Key for the RDS instance:
    • Modify the RDS instance to use the newly created CMK for encryption.
    • Run the following command to modify the RDS instance to use the Customer Managed Key:
      aws rds modify-db-instance --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --kms-key-id YOUR_CMK_KEY_ID
      
    • Replace YOUR_DB_INSTANCE_IDENTIFIER with the identifier of your RDS instance and YOUR_CMK_KEY_ID with the KeyId of the Customer Managed Key created in step 1.
  3. Verify the encryption settings:
    • Confirm that the RDS instance is now using the Customer Managed Key for encryption.
    • Run the following command to describe the RDS instance and verify the encryption settings:
      aws rds describe-db-instances --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --query "DBInstances[*].KmsKeyId"
      
    • Ensure that the KmsKeyId returned in the output matches the KeyId of the Customer Managed Key.
  4. Monitor the RDS instance:
    • Monitor the RDS instance to ensure that there are no issues after switching to Customer Managed Key encryption.
    • Check the RDS instance logs and performance metrics to ensure everything is functioning as expected.
By following these steps, you can remediate the misconfiguration of using AWS-managed keys for AWS RDS instances and switch to using Customer-Managed Keys successfully using the AWS CLI.
To remediate this misconfiguration for AWS RDS using Python, you can follow these steps:
  1. Create a Customer-Managed Key (CMK) in AWS Key Management Service (KMS):
    • Use the boto3 library in Python to create a new CMK in AWS KMS. Here is an example code snippet to create a CMK:
    import boto3
    
    kms_client = boto3.client('kms')
    
    response = kms_client.create_key(
        Description='My Customer-Managed Key',
        KeyUsage='ENCRYPT_DECRYPT',
        Origin='AWS_KMS',
    )
    
    cmk_id = response['KeyMetadata']['KeyId']
    
  2. Update the RDS instance to use the Customer-Managed Key:
    • Use the boto3 library to modify the RDS instance to use the newly created CMK. Here is an example code snippet to update the RDS instance to use the CMK:
    rds_client = boto3.client('rds')
    
    response = rds_client.modify_db_instance(
        DBInstanceIdentifier='your-rds-instance-id',
        KmsKeyId=cmk_id,
    )
    
  3. Verify the changes:
    • You can verify that the RDS instance is now using the Customer-Managed Key by describing the RDS instance and checking the KmsKeyId attribute. Here is an example code snippet to describe the RDS instance:
    response = rds_client.describe_db_instances(
        DBInstanceIdentifier='your-rds-instance-id',
    )
    
    kms_key_id = response['DBInstances'][0]['KmsKeyId']
    print(f"KMS Key ID used by RDS instance: {kms_key_id}")
    
By following these steps and running the Python code, you can remediate the misconfiguration by using a Customer-Managed Key instead of AWS-managed Keys for your AWS RDS instance.

Additional Reading: