AWS SCP to mandate rds encryption with cmk

Question

I'm trying to write a scp to mandate rds encryption with specific kms cmk. I came up with following policy but the below policy is accepting default encryption as well. I'm trying to mandate encryption with specific cmk.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RequireRDSEncryptionWithCMK",
            "Effect": "Deny",
            "Action": [
                "rds:CreateDBInstance",
                "rds:CreateDBInstanceReadReplica"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEqualsIfExists": {
                    "rds:StorageEncrypted": "true",
                    "aws:RequestTag/kms:KeyId": "arn:aws:kms:region:account-id:key/key-id"
                }
            }
        }
    ]
}

Thanks in advance

score 0 · Answer 1 · answered Aug 07 '23 at 20:30

I think the issue is that the key condition needs to be StringNotEquals instead of StringNotEqualsIfExists.

Try this modified policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RequireRDSEncryptionWithCMK",
            "Effect": "Deny",
            "Action": [
                "rds:CreateDBInstance",
                "rds:CreateDBInstanceReadReplica"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "rds:StorageEncrypted": "false"
                },
                "StringNotEquals": {
                    "aws:RequestTag/kms:KeyId": "arn:aws:kms:region:account-id:key/key-id"
                }
            }
        }
    ]
}

AWS SCP to mandate rds encryption with cmk

1 Answers1