standard
turbot/aws_compliance

Trigger: Detect & correct RDS DB instances with encryption at rest disabled

Detect RDS DB instances with encryption at rest disabled.

Query

select
concat(
r.db_instance_identifier,
' [',
r.account_id,
'/',
r.region,
']'
) as title,
r.db_instance_identifier,
r.region,
concat(
r.db_instance_identifier,
'-snapshot-',
replace(cast(now() as varchar), ' ', '_')
) as snapshot_identifier,
k.arn as aws_managed_kms_key_arn,
r.sp_connection_name as conn
from
aws_rds_db_instance as r
left join aws_kms_key as k on r.region = k.region,
jsonb_array_elements(k.aliases) as a
where
k.key_manager = 'AWS'
and a ->> 'AliasName' = 'alias/aws/rds'
and (not r.storage_encrypted);

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/RDS