Skip to content

Fix CRLY.01072: Encrypt RDS data at rest #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
curly-review wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix CRLY.01072: Encrypt RDS data at rest #39

curly-review wants to merge 1 commit into from

Conversation

@curly-review
Copy link

@curly-review curly-review bot commented May 1, 2025

Issue Details

ID: CRLY.01072
Severity: HIGH
File: cfn/cfn-nipap-backend.json

Remediation Summary

Description

The security finding indicates that the data stored in the RDS instance is not securely encrypted at rest. This poses a risk as unencrypted data can be accessed by unauthorized users if the storage medium is compromised.

Steps

To remediate this issue, you need to add the KmsKeyId property to the Properties section of the RdsNipapDb resource in your CloudFormation template. This property specifies the KMS key that RDS will use to encrypt the data at rest.

Here's how you can update your CloudFormation template programmatically:

  1. Identify the KMS Key ARN: Ensure you have the ARN of the KMS key you want to use for encryption. You can create a KMS key using the AWS CLI or SDK if you don't already have one.

  2. Update the CloudFormation Template: Add the KmsKeyId property under the Properties section of the RdsNipapDb resource.

Here is an example of how to update the CloudFormation template:

"RdsNipapDb": {
    "Type": "AWS::RDS::DBInstance",
    "Properties": {
        "AllocatedStorage": "5",
        "AllowMajorVersionUpgrade": true,
        "AutoMinorVersionUpgrade": true,
        "BackupRetentionPeriod": "30",
        "DBInstanceClass": "db.t2.micro",
        "DBInstanceIdentifier": "talr-nipap",
        "DBName": "nipap",
        "DBSecurityGroups": [{
            "Ref": "SgNipapPostgres"
        }],
        "DBSubnetGroupName": {
            "Ref": "TailorNipapDbSubnetGroup"
        },
        "Engine": "postgres",
        "MasterUsername": "root",
        "MasterUserPassword": {
            "Ref": "TailorNipapDbMasterPassword"
        },
        "MultiAZ": true,
        "StorageType": "gp2",
        "Tags": [{
            "Key": "Name",
            "Value": "Tailor NIPAP"
        }, {
            "Key": "stack",
            "Value": {
                "Ref": "EnvironmentName"
            }
        }, {
            "Key": "app",
            "Value": {
                "Ref": "AppName"
            }
        }, {
            "Key": "purpose",
            "Value": "DB backend for NIPAP IPAM tool"
        }],
        "KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/abcd1234-a123-456a-a12b-a123b4cd56ef"  # Add your KMS Key ARN here
    },
    "DeletionPolicy": "Snapshot"
}

Replace arn:aws:kms:us-west-2:123456789012:key/abcd1234-a123-456a-a12b-a123b4cd56ef with the actual ARN of your KMS key.

  1. Deploy the Updated Template: After updating the template, deploy the CloudFormation stack using the AWS CLI or SDK.
aws cloudformation deploy --template-file cfn/cfn-nipap-backend.json --stack-name nipap-backend --capabilities CAPABILITY_NAMED_IAM

By following these steps, you will ensure that all data stored in the RDS instance is securely encrypted at rest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant