DEV Community

jekobokidou for AWS Community Builders

Posted on

Enable encryption on existing RDS instance

Do you know that it is not possible to enable encryption for an Amazon RDS database after it is created?

Unencrypted AWS RDS Instances

Encryption is essential for corporate datas. You must therefore ensure that encryption is enabled for all your Amazon RDS databases at creation.

Imagine the case where a new unencrypted database joins your organization following a merger for example. You will have to catch up.

Don't panic! The solution is quite simple even in a situation where your database is large and is heavily used.

Basically, you will have to do the following:

  1. Create a snapshot of your database;

Create a snapshot of your database

  1. Create an encrypted copy of your snapshot; Create an encrypted copy of your snapshot

Create an encrypted copy of your snapshot

  1. Restore your encrypted snapshot in a new database.

Restore your encrypted snapshot

Your Amazon RDS database is now encrypted!

Encrypted Amazon RDS database

For more follow this link Amazon RDS Encryption

Top comments (2)

Collapse
 
rouilj profile image
John P. Rouillard

If I am reading this correctly, you have an encrypted database with out of date data. How do you bring the encrypted DB up to date with the live heavily used unencrypted database?

Is there a missing step? Shut down services using the unencrypted database before taking the snapshot?

Collapse
 
jekobokidou profile image
jekobokidou

Hello John, sorry for the late reply.
But you are absolutely right, the strategy described here is the least complex. I am indeed describing the case of a database which accepts a sufficiently long outage time. This strategy would have to be adapted to take into account a BDD that tolerates a very low cut.