Skip to main content
CRITICALRDSSecurity

RDS Encryption Disabled

rds-encryption-disabled

What this rule checks

Detects RDS instances without encryption at rest.

How to fix it

  1. 1Enable encryption for new RDS instances
  2. 2For existing instances, create encrypted snapshot and restore
FlaggedThe RDS instance sets storageEncrypted: false, so the underlying storage is not encrypted at rest.
import { aws_rds as rds, aws_ec2 as ec2 } from 'aws-cdk-lib';

const vpc = new ec2.Vpc(this, 'Vpc');
new rds.DatabaseInstance(this, 'Db', {
  engine: rds.DatabaseInstanceEngine.postgres({ version: rds.PostgresEngineVersion.VER_16_3 }),
  vpc,
  storageEncrypted: false,
});
FixedSetting storageEncrypted: true with a customer-managed KMS key encrypts the RDS instance storage at rest.
import { aws_rds as rds, aws_ec2 as ec2, aws_kms as kms } from 'aws-cdk-lib';

const vpc = new ec2.Vpc(this, 'Vpc');
new rds.DatabaseInstance(this, 'Db', {
  engine: rds.DatabaseInstanceEngine.postgres({ version: rds.PostgresEngineVersion.VER_16_3 }),
  vpc,
  storageEncrypted: true,
  storageEncryptionKey: new kms.Key(this, 'RdsKey'),
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::RDS::DBInstanceAWS::RDS::DBCluster

Compliance frameworks

SOC2HIPAAPCI-DSSCISNIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate โ€” a genuinely public endpoint, say. You can dismiss rds-encryption-disabled and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "rds-encryption-disabled", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::rds-encryption-disabled',
  reason: 'Why this is intentional',
});

Use the rule ID rds-encryption-disabled shown above โ€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ€” free, no account, your code never leaves your machine.

More RDS rules