Encrypting RDS DB Instance
Amazon RDS can encrypt your Amazon RDS DB Instances.
When the encrypt option is enabled for the AWS RDS Resources, we are able to encrypt DB Instances, Automated Backups, Read replicas, Snapshots and Logs.
Amazon RDS encrypted DB instances use the AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances.
The Encrypt option can be enabled only when you are launching the DB instance, it cannot be enabled after launch. However, copies of unencrypted snapshots can be encrypted.
Amazon RDS encrypted DB instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage.
You can use Amazon RDS encryption to increase data protection of your applications deployed in the cloud, and to fulfill compliance requirements for encryption at rest.
Please visit my GitHub Repository for RDS articles on various topics being updated on constant basis.
Letβs get started!
Objectives:
1. Signin to AWS Management Console
2. Create RDS MySQL instance (uncheck - enabling encrypt option
)
3. Create a snapshot
4. Make a copy of the snapshot and encrypt it
5. Restore DB Instance from the encrypted snapshot
6. Change the name of the original DB Instance
7. Change the name of the Restored DB Instance to the original DB Instance name
8. Delete the original RDS Instance and snapshot
9. Delete AWS Resources
Pre-requisites:
- AWS user account with admin access, not a root account.
Resources Used:
Steps for implementation to this project:
Please read my article for the below 4 steps
How you create a MySQL RDS Database Instance and RDS Database Snapshot.
1. Signin to AWS Management Console
2. Create RDS MySQL instance (uncheck - IMPORTANT: Enable encryption option.
).
3. Create a snapshot
4. Validate the creation of RDS snapshot
- Click on the database
myrdsinstance
, go to the Configuration tab to check that the Encryption is not enabled
- Validate the snapshot creation
4. Make a copy of the snapshot and encrypt it.
Under the Manual snapshots, select the
myrdsinstancesnap
, click on Actions, Copy snapshotUnder Settings, region -
US East (N.Virginia)
, New DB Snapshot Identifier -myrdsinstancesnap-encrypted
Under Encryption, check Enable Encryption, AWS KMS key - (default) aws/rds
Copy snapshot
Wait for 5-6 minutes to see the snapshot encrypted.
5. Restore DB Instance from the encrypted snapshot.
Click on the encrypted snapshot -
myrdsinstancesnap-encrypted
, Actions, Restore snapshot, Under Availability and durability, Deployment options, Check Single DB instance, Under Settings, Enter name of DB Instance -myrdsinstancerestore-encrypted
, Burstable classes (including t classes) -db.t3.micro
Under Encryption, you can see the Enable Encryption is enabled and cannot make changes since the snapshot is encrypted
, Take all defaults like the original db instancemyrdsinstance
Restore DB Instance
Wait for 5-6 minutes to see the Restore DB Instance
6. Change the name of the original DB Instance.
Make sure that the Endpoint of the restored DB Instance should be the same as the original DB Instance.
To do so, we have to change the names of the DB Instances as the names are unique.
Select the original DB Instance
myrdsinstance
, ModifyChange the DB Instance Identifier to
myrdsinstance-unencrypted
, Take all defaultsContinue
Under Schedule modifications, select Apply Immediately
Modify DB instance
Verify the new values of the DB Instance Identifier and the Endpoint
- Wait for 5-6 minutes to see the change
7. Change the name of the Restored DB Instance to the original DB Instance name.
Select on the restored database
myrdsinstancerestore-encrypted
and click on ModifyChange the DB Instance Identifier to
myrdsinstance
Take all defaults, Continue.
Under Scheduling of modifications, select Apply Immediately
Modify DB instance
Verify the new values of the DB Instance Identifier
myrdsinstance
and the Endpoint
Wait for 5-6 minutes to see the change
Open
myrdsinstance
i.e, the encrypted DB InstanceClick on the database and go to the Configuration tab
Notice that the Encryption is enabled
8. Delete the original RDS Instance and snapshot.
Click on Databases present to the left of the screen
Select the Unencrypted DB Instance (i.e
myrdsinstance-unencrypted
, Actions, Delete option.Uncheck the Create final snapshot option
Check the Acknowledge box
Confirm the deletion by entering
delete me
delete
Snapshots on the left of your screen
Under Manual snapshots, select the unencrypted snapshot (i.e
myrdsinstancesnap
, Actions, Delete snapshotDelete
Under Manual snapshots, select the encrypted snapshot (i.e
myrdsinstancesnap-encrypted
, Actions, Delete snapshotDelete
Wait for 5-10 minutes to see that they are deleted
9. Delete AWS Resources
- Delete the encrypted
myrdsinstance
What we have done so far
- We have successfully Encrypted an Unencrypted RDS DB Instance.
Top comments (0)