Ensure that encryption is enabled for RDS Instances

From Console

1. Login to the AWS Management Console and open the RDS dashboard at https://console.aws.amazon.com/rds/.
2. In the left navigation panel, click on Databases
3. Select the Database instance that needs to encrypt.
4. Click on Actions button placed at the top right and select Take Snapshot.
5. On the Take Snapshot page, enter a database name of which you want to take a snapshot in the Snapshot Name field and click on Take Snapshot.
6. Select the newly created snapshot and click on the Action button placed at the top right and select Copy snapshot from the Action menu.
7. On the Make Copy of DB Snapshot page, perform the following:

• In the New DB Snapshot Identifier field, Enter a name for the new snapshot.
• Check Copy Tags, New snapshot must have the same tags as the source snapshot.
• Select Yes from the Enable Encryption dropdown list to enable encryption, You can choose to use the AWS default encryption key or custom key from Master Key dropdown list.

1. Click Copy Snapshot to create an encrypted copy of the selected instance snapshot.
2. Select the new Snapshot Encrypted Copy and click on the Action button placed at the top right and select Restore Snapshot button from the Action menu, This will restore the encrypted snapshot to a new database instance.
3. On the Restore DB Instance page, enter a unique name for the new database instance in the DB Instance Identifier field.
4. Review the instance configuration details and click Restore DB Instance.
5. As the new instance provisioning process is completed can update application configuration to refer to the endpoint of the new Encrypted database instance Once the database endpoint is changed at the application level, can remove the unencrypted instance.

From Command Line

1. Run describe-db-instances command to list all RDS database names available in the selected AWS region, The command output should return the database instance identifier.

aws rds describe-db-instances --region <regionName> --query 'DBInstances[*].DBInstanceIdentifier'```

2. Run `create-db-snapshot` command to create a snapshot for the selected database instance, The command output will return the new snapshot with name DB Snapshot Name.

```bash
aws rds create-db-snapshot --region <regionName> --db-snapshot-identifier  --db-instance-identifier ```

3. Now run `list-aliases` command to list the KMS keys aliases available in a specified region, The command output should return each `key alias currently available`. For our RDS encryption activation process, locate the ID of the AWS default KMS key.

```bash
aws kms list-aliases --region <regionName>```

4. Run `copy-db-snapshot` command using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot, The command output will return the `encrypted instance snapshot configuration`.

```bash
aws rds copy-db-snapshot --region <regionName> --source-db-snapshot-identifier  --target-db-snapshot-identifier  --copy-tags --kms-key-id ```

5. Run `restore-db-instance-from-db-snapshot` command to restore the encrypted snapshot created at the previous step to a new database instance, If successful, the command output should return the new encrypted database instance configuration.

```bash
aws rds restore-db-instance-from-db-snapshot --region <regionName> --db-instance-identifier  --db-snapshot-identifier ```

6. Run `describe-db-instances` command to list all RDS database names, available in the selected AWS region, Output will return database instance identifier name Select encrypted database name that we just created DB-Name-Encrypted.

```bash
aws rds describe-db-instances --region <regionName> --query 'DBInstances[*].DBInstanceIdentifier'```
7. Run again `describe-db-instances` command using the RDS instance identifier returned earlier, to determine if the selected database instance is encrypted, The command output should return the encryption status `True`.

```bash
aws rds describe-db-instances --region <regionName> --db-instance-identifier  --query 'DBInstances[*].StorageEncrypted'```

## Multiple Remediation Paths

### AWS
**SERVICE-WIDE (RECOMMENDED when many resources are affected):**
Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.

~~~bash
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
~~~

**ASSET-LEVEL:**
Apply the resource-specific remediation steps above to only the affected assets.

**PREVENTIVE:**
Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.

### References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html

## Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.

### 1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
~~~bash
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
~~~

### 2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.

### 3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.