Using unencrypted RDS DB resources exposes data to unauthorized access to the underlying storage.
This includes database data, logs, automatic backups, read replicas, snapshots, and cluster metadata.

This situation can occur in a variety of scenarios, such as:

• a malicious insider working at the cloud provider gains physical access to the storage device and exfiltrates data.
• unknown attackers penetrate the cloud provider’s logical infrastructure and systems for extortion.

AWS-managed encryption at rest reduces this risk with a simple switch.

Ask Yourself Whether

• The database contains sensitive data that could cause harm when leaked.
• There are compliance requirements for the service to store data encrypted.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is recommended to enable encryption at rest on any RDS DB resource, regardless of the engine.
In any case, no further maintenance is required as encryption at rest is fully managed by AWS.

Sensitive Code Example

For aws_db_instance and aws_rds_cluster:

resource "aws_db_instance" "example" {
  storage_encrypted = false  # Sensitive, disabled by default
}

resource "aws_rds_cluster" "example" {
  storage_encrypted = false # Sensitive, disabled by default
}

Compliant Solution

For aws_db_instance and aws_rds_cluster:

resource "aws_db_instance" "example" {
  storage_encrypted = true
}

resource "aws_rds_cluster" "example" {
  storage_encrypted = false # Sensitive, disabled by default
}

See

• AWS Documentation - Encrypting Amazon RDS resources
• MITRE, CWE-311 - Missing Encryption of Sensitive Data