Migrating an unencrypted RDS database to an encrypted one

Riyaz Walikar
Feature image


AWS provides at-read encryption for RDS instances which should be enabled to ensure the integrity of data stored within the databases.

Data encryption at rest allows your data to remain secure even when hosted on the cloud. When server side encryption is not enabled, in the event of an unauthorised access or breach of the underlying infrastructure, the integrity of your data could be violated and may present a risk. This would also violate data security compliances and could attract penalties from regulatory authorities.

In this article we will take a look at how we can migrate an unencrypted RDS database to an encrypted one.

Encrypting an unencrypted RDS database

RDS encryption is an immutable setting that must be turned on at the time of creation. To migrate a database from unencrypted to encrypted, follow these steps:

  1. Login to the AWS Management Console

  2. Navigate to KMS service and create a new CMK Key

  3. Click on the newly created CMK alias and copy the full key ARN

    CMK key ARN

  4. Now the new CMK must be applied to encrypt/decrypt the RDS instance data

  5. Navigate to RDS service and select the RDS database instance that you want to encrypt

  6. Click the Instance Actions button from the dashboard top menu and select Take Snapshot

  7. On the Take DB Snapshot page, enter a name for the instance snapshot in the Snapshot Name field and click Take Snapshot

    AWS Database snapshot

  8. Select the newly created snapshot and click the Copy Snapshot button from the dashboard top menu

    AWS copy snapshot

  9. On the Make Copy of DB Snapshot page, perform the following steps

    • In the New DB Snapshot Identifier field, enter a name for the new snapshot.
    • Check Copy Tags so the new snapshot can have the same tags as the source snapshot.
    • In the Master Key dropdown list, select Enter a key ARN to provide your own CMK ARN.
    • In the ARN field, paste the CMK ARN

    copy of db snapshot

  10. Click Copy Snapshot to create an encrypted copy of the selected instance snapshot

  11. Select the new snapshot copy and click the Restore Snapshot button from the dashboard top menu. This will restore the encrypted snapshot to a new database instance

    Restore Snapshot

  12. On the Restore DB Instance page, enter a unique name for the new database instance in the DB instance identifier field

    DB instance identifier

  13. Review the instance configuration details and click Restore DB Instance

The new database instance is created, you can update your application configuration to refer to the endpoint of the new database instance. Once the database endpoint is changed at your application level to point to the new instance and you have ensured that everything is working as expected, you can remove the old unencrypted database instance.


In this article we covered how to migrate an unencrypted database to an encrypted one via the AWS console. Keep an eye on this space for the CLI commands of this procedure in the coming few days.

← Back to Academy