RDS Instance Snapshot not Encrypted

Tenacity Id

Risk Level




Last Updated:

April 21, 2022

An Amazon Relational Database Service (RDS) instance snapshots are unencrypted. An unencrypted RDS snapshot stores data in plain text, allowing an attacker to access plaintext data in a compromised snapshot. RDS snapshots are encrypted when the RDS instance is configured with encryption enabled. Once RDS is encrypted the data is encrypted-at-rest and traffic inside the instance as well as all snapshots created from the instance are encrypted. RDS instances are not encrypted by default. RDS encryption should be enabled on all RDS instances to ensure the snapshots are encrypted.