DEV Community

Revathi Joshi for AWS Community Builders

Posted on

How to Encrypt an Unencrypted RDS DB Instance

Encrypting RDS DB Instance

  • Amazon RDS can encrypt your Amazon RDS DB Instances.

  • When the encrypt option is enabled for the AWS RDS Resources, we are able to encrypt DB Instances, Automated Backups, Read replicas, Snapshots and Logs.

  • Amazon RDS encrypted DB instances use the AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances.

  • The Encrypt option can be enabled only when you are launching the DB instance, it cannot be enabled after launch. However, copies of unencrypted snapshots can be encrypted.

  • Amazon RDS encrypted DB instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage.

  • You can use Amazon RDS encryption to increase data protection of your applications deployed in the cloud, and to fulfill compliance requirements for encryption at rest.

Please visit my GitHub Repository for RDS articles on various topics being updated on constant basis.

Let’s get started!

Objectives:

1. Signin to AWS Management Console

2. Create RDS MySQL instance (uncheck - enabling encrypt option)

3. Create a snapshot

4. Make a copy of the snapshot and encrypt it

5. Restore DB Instance from the encrypted snapshot

6. Change the name of the original DB Instance

7. Change the name of the Restored DB Instance to the original DB Instance name

8. Delete the original RDS Instance and snapshot

9. Delete AWS Resources

Pre-requisites:

  • AWS user account with admin access, not a root account.

Resources Used:

Steps for implementation to this project:

1. Signin to AWS Management Console

2. Create RDS MySQL instance (uncheck - IMPORTANT: Enable encryption option.).

3. Create a snapshot

4. Validate the creation of RDS snapshot

Image description

  • Click on the database myrdsinstance, go to the Configuration tab to check that the Encryption is not enabled

Image description

  • Validate the snapshot creation

Image description

4. Make a copy of the snapshot and encrypt it.

  • Under the Manual snapshots, select the myrdsinstancesnap, click on Actions, Copy snapshot

  • Under Settings, region - US East (N.Virginia), New DB Snapshot Identifier - myrdsinstancesnap-encrypted

  • Under Encryption, check Enable Encryption, AWS KMS key - (default) aws/rds

  • Copy snapshot

  • Wait for 5-6 minutes to see the snapshot encrypted.

Image description

5. Restore DB Instance from the encrypted snapshot.

  • Click on the encrypted snapshot - myrdsinstancesnap-encrypted, Actions, Restore snapshot, Under Availability and durability, Deployment options, Check Single DB instance, Under Settings, Enter name of DB Instance - myrdsinstancerestore-encrypted, Burstable classes (including t classes) - db.t3.micro

  • Under Encryption, you can see the Enable Encryption is enabled and cannot make changes since the snapshot is encrypted, Take all defaults like the original db instance myrdsinstance

  • Restore DB Instance

  • Wait for 5-6 minutes to see the Restore DB Instance

Image description

6. Change the name of the original DB Instance.

  • Make sure that the Endpoint of the restored DB Instance should be the same as the original DB Instance.

  • To do so, we have to change the names of the DB Instances as the names are unique.

  • Select the original DB Instance myrdsinstance, Modify

  • Change the DB Instance Identifier to myrdsinstance-unencrypted, Take all defaults

  • Continue

  • Under Schedule modifications, select Apply Immediately

  • Modify DB instance

  • Verify the new values of the DB Instance Identifier and the Endpoint

Image description

  • Wait for 5-6 minutes to see the change

7. Change the name of the Restored DB Instance to the original DB Instance name.

  • Select on the restored database myrdsinstancerestore-encrypted and click on Modify

  • Change the DB Instance Identifier to myrdsinstance

  • Take all defaults, Continue.

  • Under Scheduling of modifications, select Apply Immediately

  • Modify DB instance

  • Verify the new values of the DB Instance Identifier myrdsinstance and the Endpoint

Image description

  • Wait for 5-6 minutes to see the change

  • Open myrdsinstance i.e, the encrypted DB Instance

  • Click on the database and go to the Configuration tab

  • Notice that the Encryption is enabled

Image description

8. Delete the original RDS Instance and snapshot.

  • Click on Databases present to the left of the screen

  • Select the Unencrypted DB Instance (i.e myrdsinstance-unencrypted, Actions, Delete option.

  • Uncheck the Create final snapshot option

  • Check the Acknowledge box

  • Confirm the deletion by entering delete me

  • delete

  • Snapshots on the left of your screen

  • Under Manual snapshots, select the unencrypted snapshot (i.e myrdsinstancesnap, Actions, Delete snapshot

  • Delete

  • Under Manual snapshots, select the encrypted snapshot (i.e myrdsinstancesnap-encrypted, Actions, Delete snapshot

  • Delete

  • Wait for 5-10 minutes to see that they are deleted

9. Delete AWS Resources

  • Delete the encrypted myrdsinstance

What we have done so far

  • We have successfully Encrypted an Unencrypted RDS DB Instance.

Top comments (0)