Updated on 2025-08-25 GMT+08:00

RDS Instances Use KMS Encryption

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

rds-instances-enable-kms

Identifier

RDS Instances Use KMS Encryption

Description

If KMS encryption is not enabled for an RDS instance, this instance is non-compliant.

Tag

rds

Trigger Type

Configuration change

Filter Type

rds.instances

Rule Parameters

None

Application Scenarios

To improve data security, enable server-side encryption. Data will be encrypted on the server before being stored when you create a DB instance or scale up storage space. This reduces the risk of data leakage.

Solution

Create a key using the Data Encryption Workshop (DEW). When creating a DB instance, select Enable for disk encryption and select the key you created. The key is the end tenant key and is used for server-side encryption. For details, see Performing a Server-Side Encryption.

Rule Logic

  • If server-side encryption is not enabled for an RDS instance, this instance is non-compliant.
  • If server-side encryption is enabled for an RDS instance, this instance is compliant.