AWS051 - There is no encryption specified or encryption is disabled on the RDS Cluster.

Explanation

Encryption should be enabled for an RDS Aurora cluster.

When enabling encryption by setting the kms_key_id, the storage_encrypted must also be set to true.

Insecure Example

The following example will fail the AWS051 check.

resource "aws_rds_cluster" "bad_example" {
  name       = "bar"
  kms_key_id = ""
}

Secure Example

The following example will pass the AWS051 check.

resource "aws_rds_cluster" "good_example" {
  name              = "bar"
  kms_key_id  = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
  storage_encrypted = true
}