0
0
AwsHow-ToBeginner · 4 min read

How to Enable Encryption in AWS RDS Instances

To enable encryption in AWS RDS, you must create a new RDS instance with the StorageEncrypted option set to true. Encryption cannot be enabled on existing instances directly; instead, create a snapshot of the instance, copy it with encryption enabled, and restore a new encrypted instance from that snapshot.
📐

Syntax

When creating an RDS instance, use the StorageEncrypted parameter to enable encryption. You can also specify a KmsKeyId to use a custom AWS KMS key for encryption.

  • StorageEncrypted: Set to true to enable encryption.
  • KmsKeyId: Optional, the ID of the KMS key to use for encryption.
bash
aws rds create-db-instance \
  --db-instance-identifier mydbinstance \
  --db-instance-class db.t3.micro \
  --engine mysql \
  --allocated-storage 20 \
  --master-username admin \
  --master-user-password password123 \
  --storage-encrypted \
  --kms-key-id arn:aws:kms:region:account-id:key/key-id
💻

Example

This example shows how to create a new encrypted RDS MySQL instance using the AWS CLI. It enables storage encryption and uses the default AWS managed key.

bash
aws rds create-db-instance \
  --db-instance-identifier exampledb \
  --db-instance-class db.t3.micro \
  --engine mysql \
  --allocated-storage 20 \
  --master-username adminuser \
  --master-user-password MyPassw0rd! \
  --storage-encrypted
Output
{ "DBInstance": { "DBInstanceIdentifier": "exampledb", "DBInstanceStatus": "creating", "StorageEncrypted": true, "Engine": "mysql", "DBInstanceClass": "db.t3.micro" } }
⚠️

Common Pitfalls

Encryption cannot be enabled on an existing RDS instance directly. A common mistake is trying to modify an existing instance to enable encryption, which AWS does not allow.

Instead, create a snapshot of the existing instance, copy the snapshot with encryption enabled, and then restore a new encrypted instance from that snapshot.

bash
aws rds modify-db-instance \
  --db-instance-identifier mydbinstance \
  --storage-encrypted true

# This will fail with an error because encryption can't be enabled on existing instances.

# Correct approach:
aws rds create-db-snapshot --db-instance-identifier mydbinstance --db-snapshot-identifier mydbsnapshot
aws rds copy-db-snapshot --source-db-snapshot-identifier mydbsnapshot --target-db-snapshot-identifier mydbsnapshot-encrypted --kms-key-id alias/aws/rds
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier mydbinstance-encrypted --db-snapshot-identifier mydbsnapshot-encrypted
📊

Quick Reference

  • Encryption must be enabled at instance creation or snapshot copy time.
  • Use --storage-encrypted to enable encryption.
  • Specify --kms-key-id to use a custom KMS key.
  • Existing instances cannot be encrypted directly; use snapshot copy method.

Key Takeaways

Enable encryption by setting StorageEncrypted to true when creating a new RDS instance.
You cannot enable encryption on an existing RDS instance directly.
To encrypt an existing instance, create a snapshot, copy it with encryption, then restore.
Use AWS KMS keys to manage encryption keys securely.
Always plan encryption before deploying your RDS instance for best security.

Related by keyword

Enable Server Side Encryption on AWS S3 Buckets EasilyS3How to Enable MFA in AWS: Step-by-Step GuideIAMHow to Enable Access Logging on S3 Buckets in AWSS3How to Enable Versioning in AWS S3 Buckets EasilyS3How to Use Reserved Instances for Savings in AWSCost Management

Up next

What is VPC Peering in AWS: Simple Explanation and ExampleWhat is VPN in AWS: Simple Explanation and Use CasesDynamoDB vs RDS: Key Differences and When to Use EachHow to Backup DynamoDB Table: Simple Steps and Example

More in RDS

How to Configure Security Group for AWS RDS InstancesHow to Connect to AWS RDS: Simple Steps for BeginnersHow to Create a MySQL RDS Instance on AWS EasilyHow to Create PostgreSQL RDS on AWS Easily