CIS AWS 5.2 (Ensure RDS instances have encryption enabled) requires: RDS database instances must have encryption at rest enabled. This is a high-severity control.

How does EchelonGraph detect CIS AWS 5.2 violations?

EchelonGraph automatically detects CIS AWS 5.2 violations using scanner rule AWS-RDS-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS AWS 5.2?

Which RDS instances are not encrypted? Are encryption keys managed by AWS or customer-managed? Are automated snapshots also encrypted? Is there a plan to migrate existing unencrypted instances?

🟠CIS AWS 5.2Rule: AWS-RDS-002high

Ensure RDS instances have encryption enabled

Description

RDS database instances must have encryption at rest enabled.

⚠️ Risk Impact

Unencrypted databases expose data if storage media is physically compromised or EBS snapshots are shared.

🔍 How EchelonGraph Detects This

AWS-RDS-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Enable encryption when creating instances. Existing instances must be migrated via snapshot restore.

💀 Real-World Attack Scenario

An unencrypted RDS snapshot was accidentally shared with the 'public' AWS account group. The snapshot was discovered by a researcher and contained 200,000 patient records including diagnoses, medications, and SSNs. HIPAA violations resulted in a $5.1M settlement.

💰 Cost of Non-Compliance

Unencrypted snapshot exposure: average $3.2M per incident. HIPAA: $1.5M/violation. PCI DSS: immediate Level 1 assessment required ($200K+). GDPR: up to €20M or 4% of revenue.

📋 Audit Questions

1.Which RDS instances are not encrypted?
2.Are encryption keys managed by AWS or customer-managed?
3.Are automated snapshots also encrypted?
4.Is there a plan to migrate existing unencrypted instances?

🎯 MITRE ATT&CK Mapping

T1530 — Data from Cloud StorageT1537 — Transfer Data to Cloud Account

🏗️ Infrastructure as Code Fix

main.tf

resource "aws_db_instance" "encrypted" {
  storage_encrypted = true
  kms_key_id        = aws_kms_key.rds.arn
}

⚡ Common Pitfalls

⛔You cannot enable encryption on an existing unencrypted instance (must snapshot-restore)
⛔Forgetting to encrypt automated snapshots and cross-region replicas
⛔Using AWS-managed keys when compliance requires customer-managed keys

📈 Business Value

RDS encryption protects against physical media compromise, snapshot sharing accidents, and cross-account data exposure. It's required by PCI DSS, HIPAA, and GDPR for sensitive data.

⏱️ Effort Estimate

Manual

4-8 hours per instance for snapshot-restore migration

With EchelonGraph

EchelonGraph identifies unencrypted RDS instances and tracks migration status

🔗 Cross-Framework References

SOC2-CC6.1ISO27001-A.10.1.1PCI-3.4HIPAA-164.312(a)(2)(iv)

Automate CIS AWS 5.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →