Skip to content

(rds): Encrypt DatabaseCluster (aurora) or DatabaseInstance (rds) storage with AWS-managed key by default (behind feature flag) #32398

New issue
New issue
Open
Open
(rds): Encrypt DatabaseCluster (aurora) or DatabaseInstance (rds) storage with AWS-managed key by default (behind feature flag)#32398
Assignees
godwingrs22
Labels
@aws-cdk/aws-rdsRelated to Amazon Relational Databasebreaking-changeThis issue requires a breaking change to remediate.effort/mediumMedium work item – several days of effortfeature-requestA feature should be added or improved.p2
@blimmer

Description

@blimmer
blimmer
opened on Dec 6, 2024

Describe the feature

If the user doesn't customize the DatabaseCluster or DatabaseInstance storageEncrypted property and does not pass a custom storageEncryptionKey, we should default the value to true. This will cause the AWS-managed aws/rds KMS key to be used.

Notes:

  • Since this is a breaking change for existing users, we should guard the feature behind a feature flag.
  • We should also add an acknowledgable warning annotation to warn people that don't specify storageEncrypted or storageEncryptionKey (as they would be affected by this change in v3).

Use Case

Today, if you don't remember to pass storageEncrypted: true to your DatabaseInstance or DatabaseCluster, your database's storage will be unencrypted.

In almost all cases, your database storage should be encrypted. Here are reasons I think we should use AWS-managed keys by default:

  • AWS Well-Architected security pillar says all data should be encrypted at rest.
  • There is no additional fee to use the AWS-managed KMS key
  • When creating RDS instances and clusters via the AWS Console UI, encryption with AWS-managed keys is enabled by default.
  • Adding encryption to a previously unencrypted database is an involved process that requires recreating your database from a snapshot. Applying encryption to an unencrypted database is time-consuming and a bad developer and user experience.
  • Other L2 constructs apply encryption by default, including Neptune and DocDb
  • If you don't encrypt your storage, you'll see warnings in the RDS UI telling you that your storage is unencrypted.
  • Users can easily retain the existing behavior by simply passing storageEncrypted: false.

Proposed Solution

This applies to DatabaseCluster and DatabaseInstance.

If:

  • storageEncrypted is not specified in the props; and,
  • storageEncryptionKey is not specified in the props

Then:

  • If the feature flag is set to true, default storageEncrypted to true
  • If the feature flag is set to false, leave storageEncrypted undefined (existing logic).
    • Add a warning annotation that the user should explicitly set storageEncrypted to false to retain compatibility with the new behavior.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.171.1

Environment details (OS name and version, etc.)

MacOS

Metadata

Metadata

Assignees

Labels

@aws-cdk/aws-rdsRelated to Amazon Relational Databasebreaking-changeThis issue requires a breaking change to remediate.effort/mediumMedium work item – several days of effortfeature-requestA feature should be added or improved.p2

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions