Alibaba Cloud Transparent Data Encryption is disabled on instance
Description
This policy ensures that Transparent Data Encryption (TDE) is enabled on Alibaba Cloud RDS (Relational Database Service) instances. TDE helps protect data at rest by encrypting the storage of an entire database. It ensures that data is secured, meeting compliance requirements for protecting sensitive data.
Failing to enable Transparent Data Encryption can result in data breaches if unauthorized users gain access to the underlying storage of the database.
Code Example
go
resource "alicloud_db_instance" "example" {
...
engine = "MySQL"
engine_version = "8.0"
+ tde_status = "Enabled"
}Remediation
Terraform
- Resource: alicloud_db_instance
- Attribute: tde_status
To mitigate this issue, ensure that the `tde_status` attribute is set to `Enabled` for the `alicloud_db_instance` resource. Confirm that the `engine` is either `MySQL` or `SQLServer` and that the `engine_version` is supported.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0022 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_ALI_22 |