@shinyaz

RDS StorageEncrypted: false does not mean unencrypted

1 min read
#aws#aurora#rds#security

While verifying Aurora PostgreSQL Express Configuration, I saw StorageEncrypted: false in the describe-db-clusters output and assumed encryption was disabled.

Output
{
  "StorageEncrypted": false,
  "StorageEncryptionType": "sse-rds"
}

But the official documentation states: "Clusters with express configuration are encrypted with AWS/RDS Service owned keys." The API documentation defines StorageEncrypted as "whether the DB cluster is encrypted," so false while actually encrypted looks contradictory. It appears that sse-rds (RDS service-owned key) encryption introduced with Express Configuration is not reflected in the traditional StorageEncrypted field. Don't rely solely on API response field values to determine encryption status.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more