Encrypting Amazon RDS Resources
You can encrypt your Amazon RDS instances and snapshots at rest by enabling the encryption option for your Amazon RDS DB instance. Data that is encrypted at rest includes the underlying storage for a DB instance, its automated backups, Read Replicas, and snapshots.
Amazon RDS encrypted instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS instance. Once your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You don't need to modify your database client applications to use encryption.
Amazon RDS encrypted instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. You can use Amazon RDS encryption to increase data protection of your applications deployed in the cloud, and to fulfill compliance requirements for data-at-rest encryption.
Amazon RDS also supports encrypting an Oracle or SQL Server DB instance with Transparent Data Encryption (TDE). TDE can be used in conjunction with encryption at rest, although using TDE and encryption at rest simultaneously might slightly affect the performance of your database. You must manage different keys for each encryption method. For more information on TDE, see Oracle Transparent Data Encryption, Using AWS CloudHSM to Store Amazon RDS Oracle TDE Keys, or Microsoft SQL Server Transparent Data Encryption Support.
To manage the keys used for encrypting and decrypting your Amazon RDS resources, you use the AWS Key Management Service (AWS KMS). AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Using AWS KMS, you can create encryption keys and define the policies that control how these keys can be used. AWS KMS supports CloudTrail, so you can audit key usage to verify that keys are being used appropriately. Your AWS KMS keys can be used in combination with Amazon RDS and supported AWS services such as Amazon Simple Storage Service (Amazon S3), Amazon Elastic Block Store (Amazon EBS), and Amazon Redshift. For a list of services that support AWS KMS, go to Supported Services in the AWS Key Management Service Developer Guide.
All logs, backups, and snapshots are encrypted for an Amazon RDS encrypted instance. A Read Replica of an Amazon RDS encrypted instance is also encrypted using the same key as the master instance.
Enabling Amazon RDS Encryption for a DB Instance
To enable encryption for a new DB instance, select
Yes in the Enable encryption
dropdown in the
Amazon RDS console. For information on creating a DB instance, see one of the following topics:
If you use the
create-db-instance AWS CLI command
to create an encrypted RDS DB instance, set the
--storage-encrypted parameter to true.
If you use the CreateDBInstance API action,
StorageEncrypted parameter to true.
When you create an encrypted DB instance, you can also supply the AWS KMS key identifier for your encryption key. If you don't specify an AWS KMS key identifier, then Amazon RDS will use your default encryption key for your new DB instance. AWS KMS creates your default encryption key for Amazon RDS for your AWS account. Your AWS account has a different default encryption key for each AWS region.
Once you have created an encrypted DB instance, you cannot change the encryption key for that instance, Therefore, be sure to determine your encryption key requirements before you create your encrypted DB instance.
If you use the AWS CLI
create-db-instance command to create an encrypted RDS DB instance,
--kms-key-id parameter to the Amazon Resource Name (ARN) for the AWS KMS encryption key
for the DB instance.
If you use the Amazon RDS API
KmsKeyId parameter to the ARN for your AWS KMS key for the DB instance.
You can use the ARN of a key from another account to encrypt an RDS DB instance. If you create a DB instance with the same AWS account that owns the AWS KMS encryption key used to encrypt that new DB instance, the AWS KMS key ID that you pass can be the AWS KMS key alias instead of the key's ARN.
If Amazon RDS loses access to the encryption key for a DB instance—for example, when Amazon RDS access to a key is revoked—then the encrypted DB instance is placed into a terminal state and can only be restored from a backup. We strongly recommend that you always enable backups for encrypted DB instances to guard against the loss of encrypted data in your databases.
Availability of Amazon RDS Encrypted Instances
Amazon RDS encrypted instances are currently available for all database engines and storage types. Amazon RDS encryption is not currently available in the China (Beijing) region.
Amazon RDS encryption is available for all DB instance classes for Amazon Aurora, and for the following DB instance classes for all other Amazon RDS database engines:
|Instance Type||Instance Class|
General Purpose (M4)—Current Generation
Memory Optimized (R3)—Current Generation
Burst Capable (T2)—Current Generation
General Purpose (M3)—Previous Generation
Encryption at rest is not available for DB instances running SQL Server Express Edition.
Managing Amazon RDS Encryption Keys
You can manage keys used for Amazon RDS encrypted instances using the AWS Key Management Service (AWS KMS) in the IAM console. If you want full control over a key, then you must create a customer-managed key. You cannot delete, revoke, or rotate default keys provisioned by AWS KMS.
You can view audit logs of every action taken with a customer-managed key by using AWS CloudTrail.
If you disable the key for an encrypted DB instance, you cannot read from or write to that DB instance. When Amazon RDS encounters a DB instance encrypted by a key that Amazon RDS does not have access to, Amazon RDS puts the DB instance into a terminal state where the DB instance is no longer available and the current state of the database cannot be recovered. In order to restore the DB instance, you must re-enable access to the encryption key for Amazon RDS, and then restore the DB instance from a backup.
Limitations of Amazon RDS Encrypted Instances
The following limitations exist for Amazon RDS encrypted instances:
You can only enable encryption for an Amazon RDS DB instance when you create it, not after the DB instance is created.
However, because you can encrypt a copy of an unencrypted DB snapshot, you can effectively add encryption to an unencrypted DB instance. That is, you can create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot and you will have an encrypted copy of your original DB instance. For more information, see Copying a DB Snapshot or DB Cluster Snapshot. You do not need to encrypt an Amazon Aurora DB cluster snapshot in order to create an encrypted copy of an Aurora DB cluster. If you specify a KMS encryption key when restoring from an unencrypted DB cluster snapshot, the restored DB cluster is encrypted using the specified KMS encryption key.
DB instances that are encrypted cannot be modified to disable encryption.
You cannot have an encrypted Read Replica of an unencrypted DB instance or an unencrypted Read Replica of an encrypted DB instance.
Encrypted Read Replicas must be encrypted with the same key as the source DB instance.
You cannot restore an unencrypted backup or snapshot to an encrypted DB instance. You can, however, restore an unencrypted Aurora DB cluster snapshot to an encrypted Aurora DB cluster if you specify a KMS encryption key when you restore from the unencrypted DB cluster snapshot.
You cannot restore an encrypted MySQL DB snapshot to an Aurora DB cluster.
To copy an encrypted snapshot from one region to another, you must specify the KMS key identifier of the destination region. This is because KMS encryption keys are specific to the region that they are created in.
The source snapshot remains encrypted throughout the copy process. AWS Key Management Service uses envelope encryption to protect data during the copy process. For more information about envelope encryption, see Envelope Encryption.