AWS Security Hub · RDS
RDS.4: RDS snapshots should be encrypted at rest
Written and reviewed by Emnode · Last reviewed
What does AWS Security Hub RDS.4 check?
RDS.4 checks whether an RDS snapshot is encrypted at rest. It evaluates both AWS::RDS::DBClusterSnapshot and AWS::RDS::DBSnapshot resources — covering Aurora cluster snapshots and single-instance snapshots, and it can raise findings for Neptune and DocumentDB snapshots too. It reports FAILED for any unencrypted snapshot.
Why does RDS.4 matter?
A snapshot is a complete, restorable copy of a database — every row, every column, every secret the application stored. An unencrypted snapshot sits on disk with no encryption layer, so anyone who reaches it or a copy shared to another account can restore it into a live database and read everything. Snapshots inherit the encryption state of their source instance, so an instance launched without encryption produces unencrypted snapshots forever, and the finding follows every backup.
How do I fix RDS.4?
- Copy the unencrypted snapshot with copy-db-snapshot (or copy-db-cluster-snapshot) supplying --kms-key-id to produce an encrypted copy.
- Use the encrypted copy for any restore or cross-account share, and delete the unencrypted original.
- Address the root cause by migrating the unencrypted source instance to an encrypted one so future snapshots inherit encryption.
- Enforce a default KMS key in provisioning templates.
Remediation script · bash
# 1. Find unencrypted databases across engines (sample: RDS, Redshift, OpenSearch).
aws rds describe-db-instances \
--query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' --output text
aws redshift describe-clusters \
--query 'Clusters[?Encrypted==`false`].ClusterIdentifier' --output text
# 2. Immutable engine (RDS): snapshot, copy WITH a KMS key, restore the new instance.
SRC=prod-orders-db; KEY=alias/db-encryption
aws rds create-db-snapshot --db-instance-identifier $SRC --db-snapshot-identifier ${SRC}-snap
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap
aws rds copy-db-snapshot \
--source-db-snapshot-identifier ${SRC}-snap \
--target-db-snapshot-identifier ${SRC}-snap-enc \
--kms-key-id $KEY
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap-enc
aws rds restore-db-instance-from-db-snapshot \
--db-instance-identifier ${SRC}-enc --db-snapshot-identifier ${SRC}-snap-enc
# 3. In-place engine (Redshift): background migration, run in a maintenance window.
aws redshift modify-cluster --cluster-identifier analytics-prod \
--encrypted --kms-key-id $KEY
# 4. Prevent recurrence: enforce encryption by default for new EBS-backed engines.
aws ec2 enable-ebs-encryption-by-defaultFull walkthrough (console steps, edge cases and verification) in the lesson Encrypt AWS databases at rest.
Is RDS.4 a false positive?
You cannot encrypt an existing unencrypted snapshot in place — the only path is copy-with-KMS to create a new encrypted snapshot. Fixing the snapshot alone is cosmetic if the source instance is still unencrypted, since the next backup will fail the control again.
More RDS controls
- RDS.1 An RDS snapshot is shared publicly
- RDS.2 An RDS instance is publicly accessible from the internet
- RDS.3 RDS DB instances should be encrypted at rest
- RDS.5 RDS DB instances should use multiple AZs
- RDS.6 RDS lacks enhanced monitoring
- RDS.7 RDS clusters should have deletion protection
- RDS.8 RDS DB instances should have deletion protection
- RDS.9 RDS engine logs are not shipped to CloudWatch
- RDS.10 RDS relies on long-lived database passwords
- RDS.11 RDS instances should have automatic backups
- RDS.12 IAM auth should be configured for RDS clusters
- RDS.13 RDS is not receiving automatic minor security patches