How to validate that data inside an RDS database is encrypted at rest?

3
votes

I would like to verify that the data is encrypted in an RDS instance.

I have configured the RDS instance with the Encryption enabled: Yes, and specified an KMS key. I would really like to validate that the data is encrypted.

I have created a Snapshot of the RDS instance, and executed a simple SELECT query on the database from the command line. This profile would not contain the KMS Key, but the data was readable. Would this mean that the data is not encrypted? Or can it be decrypted with any Query, not just those with the KMS Key?

Is my encrypted AWS database really encrypted?

So far I have seen this, does that mean that enabling the Encryption at an AWS level is not enough to encrypt the data at rest?

Any advice on validating the encrypted data in the database would be greatly appreciated!

1
amazon-web-servicesencryptionamazon-rds
Your question seems to be a duplicate of the one you linked to, and the answer there is correct. When an RDS instance is encrypted, the hard drives are encrypted. The RDBMS engine (MySQL, Postgres, Aurora, etc.) sees the data files in their unencrypted form because the encryption layer is performing real-time decryption/encryption between the RDBMS and the disk. Encryption "at rest" means what is stored on the disk is meaningless without the encryption key -- which your database instance has access to. You have to trust that AWS is doing what they say with this type of encryption. - Michael - sqlbot
Thanks @Michael-sqlbot - fuzzi

1 Answers

1
votes

You have to check it by verifying the snapshot. If KMS key ID has some value: it is encrypted at rest.