AWS RDS database instance not configured with encryption in transit
Description
This policy detects whether an Amazon RDS database instance is not configured to use data-in-transit encryption, potentially exposing sensitive data to unauthorized access through unencrypted data transmission between the database and other services or clients. A lack of encryption in transit increases the risk of data interception and unauthorized access, leading to potential data breaches. Implementing encryption in transit is crucial for maintaining data integrity and confidentiality in cloud environments."
Code Example
go
resource "aws_db_instance" "example" {
# ... other configurations ...
# Ensure the RDS instance is configured with encryption in transit
parameter {
name = "rds.force_ssl"
value = "1"
}
}Remediation
Configure the following database types to enforce secure connections by configuring the relevant Terraform settings.
- Postgres and SQLserver: rds.force_ssl set to 1
- MariaDB and MySQL: require_secure_transport set to 1
- DB2: db2comm set to SSL
Terraform
- Resource: aws_db_instance, aws_db_parameter_group
- Arguments: parameter
This example shows how to configure an Amazon RDS instance to enforce encryption in transit.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0502 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | Terraform, Terraform |
| Checkov ID | CKV2_AWS_69 |