Skip to content

encrypt-instance-storage-data

Explanation

Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

Possible Impact

Data can be read from RDS instances if compromised

Suggested Resolution

Enable encryption for RDS instances

Insecure Example

The following example will fail the aws-rds-encrypt-instance-storage-data check.

resource "aws_db_instance" "bad_example" {

}

Secure Example

The following example will pass the aws-rds-encrypt-instance-storage-data check.

resource "aws_db_instance" "good_example" {
    storage_encrypted  = true
}