Skip to content

encrypt-cluster-storage-data

Default Severity: high

Explanation

Encryption should be enabled for an RDS Aurora cluster.

When enabling encryption by setting the kms_key_id, the storage_encrypted must also be set to true.

Possible Impact

Data can be read from the RDS cluster if it is compromised

Suggested Resolution

Enable encryption for RDS clusters

Insecure Example

The following example will fail the aws-rds-encrypt-cluster-storage-data check.

 resource "aws_rds_cluster" "bad_example" {
   name       = "bar"
   kms_key_id = ""
 }

Secure Example

The following example will pass the aws-rds-encrypt-cluster-storage-data check.

 resource "aws_rds_cluster" "good_example" {
   name              = "bar"
   kms_key_id  = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
   storage_encrypted = true
 }