~ 3 min read
Migrating an unencrypted RDS database to an encrypted one
AWS provides at-read encryption for RDS instances which should be enabled to ensure the integrity of data stored within the databases.
Data encryption at rest allows your data to remain secure even when hosted on the cloud. When server side encryption is not enabled, in the event of an unauthorised access or breach of the underlying infrastructure, the integrity of your data could be violated and may present a risk. This would also violate data security compliances and could attract penalties from regulatory authorities.
In this article we will take a look at how we can migrate an unencrypted RDS database to an encrypted one.
Encrypting an unencrypted RDS database
RDS encryption is an immutable setting that must be turned on at the time of creation. To migrate a database from unencrypted to encrypted, follow these steps:
Login to the AWS Management Console
Navigate to KMS service and create a new CMK Key
Click on the newly created CMK alias and copy the full key ARN
Now the new CMK must be applied to encrypt/decrypt the RDS instance data
Navigate to RDS service and select the RDS database instance that you want to encrypt
Click the Instance Actions button from the dashboard top menu and select Take Snapshot
On the Take DB Snapshot page, enter a name for the instance snapshot in the Snapshot Name field and click Take Snapshot
Select the newly created snapshot and click the Copy Snapshot button from the dashboard top menu
On the Make Copy of DB Snapshot page, perform the following steps
- In the New DB Snapshot Identifier field, enter a name for the new snapshot.
- Check Copy Tags so the new snapshot can have the same tags as the source snapshot.
- In the Master Key dropdown list, select Enter a key ARN to provide your own CMK ARN.
- In the ARN field, paste the CMK ARN
Click Copy Snapshot to create an encrypted copy of the selected instance snapshot
Select the new snapshot copy and click the Restore Snapshot button from the dashboard top menu. This will restore the encrypted snapshot to a new database instance
On the Restore DB Instance page, enter a unique name for the new database instance in the DB instance identifier field
Review the instance configuration details and click Restore DB Instance
The new database instance is created, you can update your application configuration to refer to the endpoint of the new database instance. Once the database endpoint is changed at your application level to point to the new instance and you have ensured that everything is working as expected, you can remove the old unencrypted database instance.
In this article we covered how to migrate an unencrypted database to an encrypted one via the AWS console. Keep an eye on this space for the CLI commands of this procedure in the coming few days.