Amazon Relational Database Service (RDS) allows to easily host and manage a relational database in the cloud. RDS databases can be encrypted, ensuring the security of data-at-rest. In the case that adversaries gain physical access to the storage medium they are not able to access the data.
There is a risk if you answered yes to any of those questions.
It’s recommended to encrypt databases that contain sensitive information. Encryption and decryption are handled transparently by RDS, so no further modifications to the application are necessary.
For aws-cdk-lib.aws_rds.CfnDBCluster:
import { aws_rds as rds } from 'aws-cdk-lib';
new rds.CfnDBCluster(this, 'example', {
storageEncrypted: false, // Sensitive
});
For aws-cdk-lib.aws_rds.CfnDBInstance:
import { aws_rds as rds } from 'aws-cdk-lib';
new rds.CfnDBInstance(this, 'example', {
storageEncrypted: false, // Sensitive
});
For aws-cdk-lib.aws_rds.DatabaseCluster:
import { aws_rds as rds } from 'aws-cdk-lib';
import { aws_ec2 as ec2 } from 'aws-cdk-lib';
declare const vpc: ec2.Vpc;
const cluster = new rds.DatabaseCluster(this, 'example', {
engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_2_08_1 }),
instanceProps: {
vpcSubnets: {
subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
},
vpc,
},
storageEncrypted: false, // Sensitive
});
For aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot:
import { aws_rds as rds } from 'aws-cdk-lib';
declare const vpc: ec2.Vpc;
new rds.DatabaseClusterFromSnapshot(this, 'example', {
engine: rds.DatabaseClusterEngine.aurora({ version: rds.AuroraEngineVersion.VER_1_22_2 }),
instanceProps: {
vpc,
},
snapshotIdentifier: 'exampleSnapshot',
storageEncrypted: false, // Sensitive
});
For aws-cdk-lib.aws_rds.DatabaseInstance:
import { aws_rds as rds } from 'aws-cdk-lib';
declare const vpc: ec2.Vpc;
new rds.DatabaseInstance(this, 'example', {
engine: rds.DatabaseInstanceEngine.POSTGRES,
vpc,
storageEncrypted: false, // Sensitive
});
For aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica:
import { aws_rds as rds } from 'aws-cdk-lib';
declare const sourceInstance: rds.DatabaseInstance;
new rds.DatabaseInstanceReadReplica(this, 'example', {
sourceDatabaseInstance: sourceInstance,
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.LARGE),
vpc,
storageEncrypted: false, // Sensitive
});
For aws-cdk-lib.aws_rds.CfnDBCluster:
import { aws_rds as rds } from 'aws-cdk-lib';
new rds.CfnDBCluster(this, 'example', {
storageEncrypted: true,
});
For aws-cdk-lib.aws_rds.CfnDBInstance:
import { aws_rds as rds } from 'aws-cdk-lib';
new rds.CfnDBInstance(this, 'example', {
storageEncrypted: true,
});
For aws-cdk-lib.aws_rds.DatabaseCluster:
import { aws_rds as rds } from 'aws-cdk-lib';
declare const vpc: ec2.Vpc;
const cluster = new rds.DatabaseCluster(this, 'example', {
engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_2_08_1 }),
instanceProps: {
vpcSubnets: {
subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
},
vpc,
},
storageEncrypted: false, // Sensitive
});
For aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot:
import { aws_rds as rds } from 'aws-cdk-lib';
declare const vpc: ec2.Vpc;
new rds.DatabaseClusterFromSnapshot(this, 'example', {
engine: rds.DatabaseClusterEngine.aurora({ version: rds.AuroraEngineVersion.VER_1_22_2 }),
instanceProps: {
vpc,
},
snapshotIdentifier: 'exampleSnapshot',
storageEncrypted: true,
});
For aws-cdk-lib.aws_rds.DatabaseInstance:
import { aws_rds as rds } from 'aws-cdk-lib';
declare const vpc: ec2.Vpc;
new rds.DatabaseInstance(this, 'example', {
engine: rds.DatabaseInstanceEngine.POSTGRES,
vpc,
storageEncrypted: true,
});
For aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica:
import { aws_rds as rds } from 'aws-cdk-lib';
declare const sourceInstance: rds.DatabaseInstance;
new rds.DatabaseInstanceReadReplica(this, 'example', {
sourceDatabaseInstance: sourceInstance,
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.LARGE),
vpc,
storageEncrypted: true,
});