AWS AmazonRDS medium security documentation change
Summary
Added 2-hour detection window for encryption credential state change and clarified behavior for instances with disabled backups
Security assessment
Clarifies recovery process for KMS key access loss scenarios and backup-related encryption state transitions, directly addressing encryption security controls
Diff
diff --git a/AmazonRDS/latest/UserGuide/Overview.Encryption.md b/AmazonRDS/latest/UserGuide/Overview.Encryption.md index b298912d0..2e08f4b33 100644 --- a//AmazonRDS/latest/UserGuide/Overview.Encryption.md +++ b//AmazonRDS/latest/UserGuide/Overview.Encryption.md @@ -65 +65 @@ If you must change the encryption key for your DB instance, create a manual snap -Amazon RDS can lose access to the KMS key for a DB instance when you disable the KMS key. If you lose access to a KMS key, the encrypted DB instance goes into the `inaccessible-encryption-credentials-recoverable` state. The DB instance remains in this state for seven days, during which the instance is stopped. API calls made to the DB instance during this time might not succeed. To recover the DB instance, enable the KMS key and restart this DB instance. Enable the KMS key from the AWS Management Console, AWS CLI, or RDS API. Restart the DB instance using the AWS CLI command [start-db-instance](https://docs.aws.amazon.com/cli/latest/reference/rds/start-db-instance.html) or AWS Management Console. +Amazon RDS loses access to the KMS key for a DB instance when you disable the KMS key. If you lose access to a KMS key, the encrypted DB instance goes into the `inaccessible-encryption-credentials-recoverable` state 2 hours after detection in instances where backups are enabled. The DB instance remains in this state for seven days, during which the instance is stopped. API calls made to the DB instance during this time might not succeed. To recover the DB instance, enable the KMS key and restart this DB instance. Enable the KMS key from the AWS Management Console, AWS CLI, or RDS API. Restart the DB instance using the AWS CLI command [start-db-instance](https://docs.aws.amazon.com/cli/latest/reference/rds/start-db-instance.html) or AWS Management Console. @@ -67 +67 @@ Amazon RDS can lose access to the KMS key for a DB instance when you disable the -The `inaccessible-encryption-credentials-recoverable` state only applies to DB instances that can stop. You can't recover instances that can't stop, such as read replicas and instances with read replicas. For more information, see [Limitations of stopping your DB instance](./USER_StopInstance.html#USER_StopInstance.Limitations). +The `inaccessible-encryption-credentials-recoverable` state only applies to DB instances that can stop. This recoverable state is not applicable to instances that can't stop, such as read replicas and instances with read replicas. For more information, see [Limitations of stopping your DB instance](./USER_StopInstance.html#USER_StopInstance.Limitations). @@ -72,0 +73,2 @@ During the creation of a DB instance, Amazon RDS checks if the calling principal +DB instances with disabled backups remain available until the volumes are detached from the host during an instance modification or a recovery. RDS moves the instances into `inaccessible-encryption-credentials-recoverable` state or `inaccessible-encryption-credentials` state as applicable. +