RDS instances should be encrypted (AWS-managed or customer-managed KMS CMKs)¶

Description¶

Encrypting your RDS DB instances provides an extra layer of security by securing your data from unauthorized access.

You cannot modify an existing database to enable encryption. You need to migrate to a new RDS instance. Navigate to RDS.
In the left navigation, select Snapshots.
Create a database snapshot.
Make a copy of the snapshot and make sure to enable encryption.

List all RDS instances:
- aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'
Check if each RDS instance is encrypted:
- aws rds describe-db-instances --db-instance-identifier <instance name> --query 'DBInstances[*].StorageEncrypted'
If an instance shows “false”, create a snapshot of it:
- aws rds create-db-snapshot --db-instance-identifier <instance name> --db-snapshot-identifier <name of new snapshot>
Make an encrypted copy of the snapshot:
- aws rds copy-db-snapshot --source-db-snapshot-identifier <instance name> --target-db-snapshot-identifier <new name of second snapshot> --kms-key-id <arn of RDS master key>
Restore snapshot to new database instance:
- aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new db instance name> --db-snapshot-identifier <name of second snapshot>
Point your application to the new database instance.

Ensure that the aws_db_instance or aws_rds_cluster storage_encrypted field is set to true. If encrypting with a customer-managed KMS key, kms_key_id should be set to the ARN of the key.

resource "aws_db_instance" "main" {
  storage_encrypted    = true
  # other required fields here
}

resource "aws_rds_cluster" "main" {
  storage_encrypted       = true
  # other required fields here
}