Amazon Relational Database Service (RDS) allows to easily host and manage a relational database in the cloud. RDS databases can be encrypted, ensuring the security of data-at-rest. In the case that adversaries gain physical access to the storage medium they are not able to access the data.

Ask Yourself Whether

• The database contains sensitive data that could cause harm when leaked.
• There are compliance requirements for the service to store data encrypted.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to encrypt databases that contain sensitive information. Encryption and decryption are handled transparently by RDS, so no further modifications to the application are necessary.

Sensitive Code Example

For AWS::RDS::DBInstance:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  DatabaseInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      StorageEncrypted: false  # Sensitive, disabled by default

Compliant Solution

For AWS::RDS::DBInstance:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  DatabaseInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      StorageEncrypted: true

See

• Encrypting Amazon RDS resources
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• MITRE, CWE-311 - Missing Encryption of Sensitive Data