Performance Insights encryption should use Customer Managed Keys
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | rds |
| Provider | AWS |
Description#
Performance Insights data for RDS instances is encrypted using AWS-managed keys instead of customer-managed KMS keys, limiting control over key management and access policies. This configuration does not allow for customized permissions or full lifecycle control of encryption keys.
Impact#
Without customer-managed keys, there is reduced control over who can access or rotate encryption keys and how encryption policies are enforced. This may increase the risk of unauthorized data access or hinder compliance with organizational or regulatory requirements for data protection.
Resolution#
Use Customer Managed Keys to encrypt Performance Insights data