Many regulatory frameworks (PCI DSS, HIPAA, GDPR) mandate encryption at rest for sensitive data, making unencrypted instances a compliance violation. Unencrypted databases are vulnerable if the underlying storage is compromised, creating significant data breach risks that encryption at rest prevents. Here’s a simple PostgreSQL query to list all RDS instances not using encryption at rest from a CloudQuery sync:
SELECT
account_id, db_instance_identifier, publicly_accessible, tags
FROM
aws_rds_instances
WHERE
storage_encrypted=false;