Protecting Data at Rest on Amazon RDS

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Amazon RDS leverages the same secure infrastructure as Amazon EC2. You can use the Amazon RDS service without additional protection, but if you require encryption or data integrity authentication of data at rest for compliance or other purposes, you can add protection at the application layer, or at the platform layer using SQL cryptographic functions.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

You could add protection at the application layer, for example, using a built-in encryption function that encrypts all sensitive database fields, using an application key, before storing them in the database. The application can manage keys by using symmetric encryption with PKI infrastructure or other asymmetric key techniques to provide for a master encryption key.

See Also

https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION, PHYSICAL AND ENVIRONMENTAL PROTECTION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-4, 800-53|AC-6, 800-53|AC-11, 800-53|AC-18, 800-53|AU-13, 800-53|IA-3, 800-53|IA-7, 800-53|PE-19, 800-53|SA-8, 800-53|SC-7, 800-53|SC-8, 800-53|SC-9, 800-53|SC-13, 800-53|SC-16, 800-53|SC-23, 800-53|SC-28, 800-53|SI-7, 800-53|SI-8

Plugin: amazon_aws

Control ID: bd6f680fb84b597f3b7519558ebf85733d5796570988567963175eb3bee86950