AWS RDS DB snapshot does not use Customer Managed Keys (CMKs)
Description
This policy identifies database snapshots that were not encrypted with KMS. It is a best practice to manage your own encryption keys for all storage volumes and snapshots.
Code Example
resource "aws_db_snapshot_copy" "pass" {
source_db_snapshot_identifier = aws_db_snapshot.example.db_snapshot_arn
target_db_snapshot_identifier = "testsnapshot1234-copy"
}Remediation
Changing the encryption method cannot be done for existing snapshots. Instead, create a new snapshot and add the CMK encryption.
. Open the Amazon RDS console.
. In the navigation pane, choose Databases.
. Choose the DB instance for which you want to create a manual snapshot.
. Create a manual snapshot for your DB instance.
. In the navigation pane, choose Snapshots.
. Select the manual snapshot that you created.
. Choose Actions, and then choose Copy Snapshot.
. Under Encryption, select Enable Encryption.
. For AWS KMS Key, choose the new encryption key that you want to use.
. Choose Copy snapshot.
. Restore the copied snapshot. === Fix - Buildtime
Terraform
- Resource: aws_db_snapshot_copy
- Arguments: kms_key_id
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0314 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_266 |