Sprinto Dashboard

Encrypting RDS DB Instances

You can enable encryption for an Amazon RDS DB instance when you create it, but not after it's created. However, you can add encryption to an unencrypted DB instance by creating a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance. The pattern uses AWS Database Migration Service (AWS DMS) to migrate data and AWS Key Management Service (AWS KMS) for encryption.

Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently, with minimal impact on performance. You don't need to modify your database client applications to use encryption.

Limitations

  • You can enable encryption for an Amazon RDS DB instance only when you create it, not after the DB instance is created.

  • You can't have an encrypted read replica of an unencrypted DB instance or an unencrypted read replica of an encrypted DB instance.

  • You can't restore an unencrypted backup or snapshot to an encrypted DB instance.

  • Sequences aren't migrated to the new, encrypted DB instance.

For more information, see Limitations of Amazon RDS encrypted DB instances in the Amazon RDS documentation.