RDS Security: Encryption and Parameter Groups
Encrypt RDS at rest with KMS, control connection-level encryption with parameter groups, and secure with IAM authentication.
RDS Encryption at Rest
RDS supports encryption at rest using AWS Key Management Service (KMS). When you enable encryption at DB instance creation, all data on the underlying EBS volumes, automated backups, snapshots, and Read Replicas is encrypted using the specified KMS key.
Encryption must be enabled at creation time—you cannot encrypt an existing unencrypted instance in place. The workaround is to take an unencrypted snapshot, copy it with encryption enabled, and restore from the encrypted snapshot. The KMS key can be an AWS-managed key or a Customer-Managed Key (CMK) for additional control and audit.
# Create an encrypted RDS instance
aws rds create-db-instance \
--db-instance-identifier mydb-encrypted \
--engine mysql \
--db-instance-class db.t3.micro \
--master-username admin \
--master-user-password MyPass123! \
--allocated-storage 20 \
--storage-encrypted \
--kms-key-id arn:aws:kms:us-east-1:123456789:key/my-key-idEncrypting an Existing Unencrypted RDS Instance
Since you cannot enable encryption on an existing instance, follow this migration path:
- Create a manual snapshot of the unencrypted instance
- Copy the snapshot and enable encryption during the copy, specifying a KMS key
- Restore a new DB instance from the encrypted snapshot
- Update your application endpoint to the new instance
- Delete the old unencrypted instance
This approach incurs some downtime unless you use DMS to keep the new encrypted instance synchronised before cutover.
# Copy snapshot with encryption enabled
aws rds copy-db-snapshot \
--source-db-snapshot-identifier mydb-unencrypted-snap \
--target-db-snapshot-identifier mydb-encrypted-snap \
--kms-key-id alias/aws/rdsAll lessons in this course
- RDS Engines and Instance Classes
- Multi-AZ and Automated Backups
- Read Replicas for Read Scaling
- RDS Security: Encryption and Parameter Groups