AWS051 - There is no encryption specified or encryption is disabled on the RDS Cluster.

Written by tfsec

Explanation

Encryption should be enabled for an RDS Aurora cluster.

When enabling encryption by setting the kms_key_id, the storage_encrypted must also be set to true.

Insecure Example

The following example will fail the AWS051 check.

resource "aws_rds_cluster" "bad_example" {
  name       = "bar"
  kms_key_id = ""
}

Secure Example

The following example will pass the AWS051 check.

resource "aws_rds_cluster" "good_example" {
  name              = "bar"
  kms_key_id  = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
  storage_encrypted = true
}

Related Links

• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster

---