AWS Relational Database Service (RDS) supports encryption at rest using AWS Key Management Service (KMS) to protect database instances and clusters.
When RDS database instances and clusters are not encrypted at rest, all data stored on disk is exposed to anyone who gains access to the underlying storage. This includes database data, logs, automatic backups, read replicas, snapshots, and cluster metadata. The rule flags explicit disabling of storage encryption as well as configurations where the property is omitted and encryption is disabled by default. AWS-managed encryption at rest reduces this risk with a simple configuration change and requires no further maintenance.
If an attacker or malicious insider gains access to unencrypted RDS storage — whether through a breach of the cloud provider’s infrastructure or physical access to storage devices — all stored data is readable in plaintext. This exposes sensitive information such as personal data, financial records, or proprietary business data.
Theft of unencrypted data can result in regulatory fines, reputational damage, and legal liability, particularly for data subject to compliance requirements such as PCI DSS.
The following examples create RDS resources with storageEncrypted set to false or omitted, which leaves all database
data, logs, automatic backups, read replicas, and snapshots unprotected at rest.
For aws_db_instance and aws_rds_cluster:
resource "aws_db_instance" "example" {
storage_encrypted = false # Noncompliant, disabled by default
}
resource "aws_rds_cluster" "example" {
storage_encrypted = false # Noncompliant, disabled by default
}
For aws_db_instance and aws_rds_cluster:
resource "aws_db_instance" "example" {
storage_encrypted = true
}
resource "aws_rds_cluster" "example" {
storage_encrypted = true
}