How to validate that data inside an RDS database is encrypted at rest?
I would like to verify that the data is encrypted in an RDS instance.
I have configured the RDS instance with the Encryption enabled: Yes, and specified an KMS key. I would really like to validate that the data is encrypted.
I have created a Snapshot of the RDS instance, and executed a simple SELECT query on the database from the command line. This profile would not contain the KMS Key, but the data was readable. Would this mean that the data is not encrypted? Or can it be decrypted with any Query, not just those with the KMS Key?
Is my encrypted AWS database really encrypted?
So far I have seen this, does that mean that enabling the Encryption at an AWS level is not enough to encrypt the data at rest?
Any advice on validating the encrypted data in the database would be greatly appreciated!
amazon-web-services encryption amazon-rds
edited Nov 25 '18 at 0:10
John Rotenstein
74.6k783130
asked Nov 24 '18 at 21:50
fuzzifuzzi
2871828
add a comment |
I would like to verify that the data is encrypted in an RDS instance.
I have configured the RDS instance with the Encryption enabled: Yes, and specified an KMS key. I would really like to validate that the data is encrypted.
I have created a Snapshot of the RDS instance, and executed a simple SELECT query on the database from the command line. This profile would not contain the KMS Key, but the data was readable. Would this mean that the data is not encrypted? Or can it be decrypted with any Query, not just those with the KMS Key?
Is my encrypted AWS database really encrypted?
So far I have seen this, does that mean that enabling the Encryption at an AWS level is not enough to encrypt the data at rest?
Any advice on validating the encrypted data in the database would be greatly appreciated!
amazon-web-services encryption amazon-rds
edited Nov 25 '18 at 0:10
John Rotenstein
74.6k783130
asked Nov 24 '18 at 21:50
fuzzifuzzi
2871828
Your question seems to be a duplicate of the one you linked to, and the answer there is correct. When an RDS instance is encrypted, the hard drives are encrypted. The RDBMS engine (MySQL, Postgres, Aurora, etc.) sees the data files in their unencrypted form because the encryption layer is performing real-time decryption/encryption between the RDBMS and the disk. Encryption "at rest" means what is stored on the disk is meaningless without the encryption key -- which your database instance has access to. You have to trust that AWS is doing what they say with this type of encryption.
– Michael - sqlbot
Nov 25 '18 at 0:03
Thanks @Michael-sqlbot
– fuzzi
Dec 11 '18 at 15:09
add a comment |
I would like to verify that the data is encrypted in an RDS instance.
I have configured the RDS instance with the Encryption enabled: Yes, and specified an KMS key. I would really like to validate that the data is encrypted.
I have created a Snapshot of the RDS instance, and executed a simple SELECT query on the database from the command line. This profile would not contain the KMS Key, but the data was readable. Would this mean that the data is not encrypted? Or can it be decrypted with any Query, not just those with the KMS Key?
Is my encrypted AWS database really encrypted?
So far I have seen this, does that mean that enabling the Encryption at an AWS level is not enough to encrypt the data at rest?
Any advice on validating the encrypted data in the database would be greatly appreciated!
amazon-web-services encryption amazon-rds
edited Nov 25 '18 at 0:10
John Rotenstein
74.6k783130
asked Nov 24 '18 at 21:50
fuzzifuzzi
2871828
I would like to verify that the data is encrypted in an RDS instance.
I have configured the RDS instance with the Encryption enabled: Yes, and specified an KMS key. I would really like to validate that the data is encrypted.
I have created a Snapshot of the RDS instance, and executed a simple SELECT query on the database from the command line. This profile would not contain the KMS Key, but the data was readable. Would this mean that the data is not encrypted? Or can it be decrypted with any Query, not just those with the KMS Key?
Is my encrypted AWS database really encrypted?
So far I have seen this, does that mean that enabling the Encryption at an AWS level is not enough to encrypt the data at rest?
Any advice on validating the encrypted data in the database would be greatly appreciated!
amazon-web-services encryption amazon-rds
amazon-web-services encryption amazon-rds
edited Nov 25 '18 at 0:10
John Rotenstein
74.6k783130
asked Nov 24 '18 at 21:50
fuzzifuzzi
2871828
edited Nov 25 '18 at 0:10
John Rotenstein
74.6k783130
asked Nov 24 '18 at 21:50
fuzzifuzzi
2871828
edited Nov 25 '18 at 0:10
John Rotenstein
74.6k783130
edited Nov 25 '18 at 0:10
John Rotenstein
74.6k783130
edited Nov 25 '18 at 0:10
John Rotenstein
74.6k783130
74.6k783130
asked Nov 24 '18 at 21:50
fuzzifuzzi
2871828
asked Nov 24 '18 at 21:50
fuzzifuzzi
2871828
asked Nov 24 '18 at 21:50
fuzzifuzzi
2871828
2871828
Your question seems to be a duplicate of the one you linked to, and the answer there is correct. When an RDS instance is encrypted, the hard drives are encrypted. The RDBMS engine (MySQL, Postgres, Aurora, etc.) sees the data files in their unencrypted form because the encryption layer is performing real-time decryption/encryption between the RDBMS and the disk. Encryption "at rest" means what is stored on the disk is meaningless without the encryption key -- which your database instance has access to. You have to trust that AWS is doing what they say with this type of encryption.
– Michael - sqlbot
Nov 25 '18 at 0:03
Thanks @Michael-sqlbot
– fuzzi
Dec 11 '18 at 15:09
add a comment |
Your question seems to be a duplicate of the one you linked to, and the answer there is correct. When an RDS instance is encrypted, the hard drives are encrypted. The RDBMS engine (MySQL, Postgres, Aurora, etc.) sees the data files in their unencrypted form because the encryption layer is performing real-time decryption/encryption between the RDBMS and the disk. Encryption "at rest" means what is stored on the disk is meaningless without the encryption key -- which your database instance has access to. You have to trust that AWS is doing what they say with this type of encryption.
– Michael - sqlbot
Nov 25 '18 at 0:03
Thanks @Michael-sqlbot
– fuzzi
Dec 11 '18 at 15:09
Your question seems to be a duplicate of the one you linked to, and the answer there is correct. When an RDS instance is encrypted, the hard drives are encrypted. The RDBMS engine (MySQL, Postgres, Aurora, etc.) sees the data files in their unencrypted form because the encryption layer is performing real-time decryption/encryption between the RDBMS and the disk. Encryption "at rest" means what is stored on the disk is meaningless without the encryption key -- which your database instance has access to. You have to trust that AWS is doing what they say with this type of encryption.
– Michael - sqlbot
Nov 25 '18 at 0:03
Your question seems to be a duplicate of the one you linked to, and the answer there is correct. When an RDS instance is encrypted, the hard drives are encrypted. The RDBMS engine (MySQL, Postgres, Aurora, etc.) sees the data files in their unencrypted form because the encryption layer is performing real-time decryption/encryption between the RDBMS and the disk. Encryption "at rest" means what is stored on the disk is meaningless without the encryption key -- which your database instance has access to. You have to trust that AWS is doing what they say with this type of encryption.
– Michael - sqlbot
Nov 25 '18 at 0:03
Thanks @Michael-sqlbot
– fuzzi
Dec 11 '18 at 15:09
Thanks @Michael-sqlbot
– fuzzi
Dec 11 '18 at 15:09
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53462672%2fhow-to-validate-that-data-inside-an-rds-database-is-encrypted-at-rest%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53462672%2fhow-to-validate-that-data-inside-an-rds-database-is-encrypted-at-rest%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Your question seems to be a duplicate of the one you linked to, and the answer there is correct. When an RDS instance is encrypted, the hard drives are encrypted. The RDBMS engine (MySQL, Postgres, Aurora, etc.) sees the data files in their unencrypted form because the encryption layer is performing real-time decryption/encryption between the RDBMS and the disk. Encryption "at rest" means what is stored on the disk is meaningless without the encryption key -- which your database instance has access to. You have to trust that AWS is doing what they say with this type of encryption.
– Michael - sqlbot
Nov 25 '18 at 0:03
Thanks @Michael-sqlbot
– fuzzi
Dec 11 '18 at 15:09