AWS RDS Instance Is Not Encrypted

This policy identifies AWS RDS instances which are not encrypted. Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up and manage databases. Amazon allows customers to turn on encryption for RDS which is recommended for compliance and security reasons.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

AWS RDS instance is not encrypted.
JSON Query:
$.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any equal false
Recommended solution for encrypting RDS instance.
It is recommended to encrypt RDS instance. Please make sure that "StorageEncrypted" attribute exists and is set to "true".
For example:
"MyDB": { "Type": "AWS::RDS::DBInstance", "Properties": { "AllocatedStorage": "100", "DBInstanceClass": "db.t3.small", "StorageEncrypted":true, "MultiAZ": true } }

Run Rule Recommendation

Amazon RDS instance can only be encrypted at the time of DB instance creation. So to resolve this alert, create a new DB instance with encryption and then migrate all required DB instance data from the reported DB instance to this newly created DB instance.
To create RDS DB instance with encryption, follow the instructions mentioned in below reference link based on your Database vendor:.


There are 12 standards that are applicable to this policy:
  • NIST 800-171 Rev1
  • NIST 800-53 Rev4
  • ISO 27001:2013
  • HITRUST CSF v9.3
  • PCI DSS v3.2
  • GDPR
  • CSA CCM v3.0.1
  • SOC 2
  • CCPA 2018

Recommended For You