AWS Prescriptive Guidance
Patterns

Encrypt an existing Amazon RDS for PostgreSQL DB instance

R Type :NotApplicable

source :Security

target :Encrypted PostgreSQL, Amazon RDS

tags :encryption of unencrypted postgressql, amazon rds instance with less or no downtime

Summary

This pattern provides guidance for encrypting an Amazon Relational Database Service (Amazon RDS) DB instance for PostgreSQL with little or no downtime. 

You can enable encryption for an RDS DB instance when you create it, but not after it's created. However, you can add encryption to an unencrypted DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance.

We recommend that you encrypt your Amazon RDS DB instances to fulfill compliance requirements for data-at-rest encryption. Data encryption and decryption for RDS DB instances are handled transparently and do not require any additional action from you or your application. This pattern uses AWS Database Migration Service (AWS DMS) for migrating data and AWS Key Management Service (AWS KMS) for encryption. 

Assumptions and Prerequisites

Prerequisites

  • An active AWS account

  • An unencrypted Amazon RDS for PostgreSQL source database (for a smooth cutover, use Amazon Route 53 to route traffic to the application instead of using a direct endpoint reference) 

  • AWS DMS to perform migration tasks (enable logical replication by setting the rds.logical_replication parameter to 1 in the options group)

  • Familiarity with using a PostgreSQL database as a source for AWS DMS 

  • Familiarity with using a PostgreSQL database as a target for AWS DMS 

Limitations

Architecture

Source architecture

  • RDS DB instance (unencrypted)

Target architecture

  • RDS DB instance (encrypted)

    • The destination RDS DB instance is created by restoring the DB snapshot copy of the source RDS DB instance.

    • An AWS KMS key is used for encryption while restoring the snapshot.

    • An AWS DMS replication task is used to migrate the data.

    • Amazon Route 53 is used during cutover to route traffic from the instance endpoints to applications.

Tools Used

Tools used to enable encryption:

  • DB snapshot - For information about DB snapshots, see Creating a DB Snapshot.

  • KMS key for encryption - When you create an encrypted DB instance, you can also supply the KMS key identifier for your encryption key. If you don't specify an KMS key identifier, Amazon RDS uses your default encryption key for your new DB instance. AWS KMS creates your default encryption key for Amazon RDS for your AWS account. Your AWS account has a different default encryption key for each AWS Region. For this pattern, you should encrypt the Amazon RDS DB instance by using the non-default KMS key. For more information about using KMS keys for Amazon RDS encryption, see Encrypting Amazon RDS Resources.

Tools used for ongoing replication:

  • AWS DMS - AWS Database Migration Service (AWS DMS) is used to replicate ongoing changes to keep sources and targets in sync. For more information about using AWS DMS for ongoing replication, see the AWS DMS documentation.

  • AWS DMS source and target endpoints - For information about creating endpoints, see the AWS DMS documentation.

Epics

Prepare the source DB instance

Tasks

Title Description Skills Predecessor
Check the encryption details for the source RDS PostgreSQL DB instance. Choose the RDS DB instance that you want to encrypt, and view the instance details to see whether it's already encrypted. DBA Source Preparation
Create a DB snapshot of the instance. For the DB instance that you want to encrypt, choose Actions, and then choose Take Snapshot. In the Take DB Snapshot window, type the name of the snapshot, and then choose Take Snapshot. The backup process might take a few minutes, depending on the storage size of your instance. DBA
Make an encrypted copy of the DB snapshot. In the navigation pane, choose the snapshot you created. Choose Actions, and then choose Copy Snapshot. In the Make Copy of DB Snapshot window, type a name for the snapshot copy in the New DB Snapshot Identifier field. Check the Copy Tags box so the new snapshot will be assigned the same tags and values as the source snapshot. Choose Enable Encryption. You can choose the AWS Secrets Manager default encryption key or your custom key by choosing it from the Master Key list. The Amazon Resource Name (ARN) of your custom key is required. DBA

Prepare the destination DB instance

Tasks

Title Description Skills Predecessor
Restore the encrypted copy of the DB snapshot. Open the Amazon RDS console. In the navigation pane, choose Snapshots, and then choose the copy of the snapshot you created in the previous task. For Actions, choose Restore Snapshot. This will restore the encrypted snapshot to a new DB instance. On the Restore DB Instance page, enter a unique name for the new DB instance in the DB Instance Identifier box. Review the instance configuration details, and then choose Restore DB Instance. Check to make sure that the new DB instance is encrypted. DBA Destination Preparation

Use AWS DMS to migrate data

Tasks

Title Description Skills Predecessor
Create an AWS DMS task. In the AWS DMS console, create an AWS DMS task. For migration type, choose "Migrate existing data and replicate ongoing changes." For target table preparation mode, choose "Truncate." Under Advanced Task Settings, enable the awsdms_status table if you want to verify replication status. AWS SysAdmin
Run the migration task. You will have to wait until all the records are updated. AWS DMS will then determine the size of the data to migrate.

Verify the migration

Tasks

Title Description Skills Predecessor
Verify the data in the encrypted RDS DB instance. Verify that the data in the encrypted RDS DB instance after migration is the same as the unencrypted DB records. DBA
Check replication status in AWS DMS. The awsdms_status table provides information about the migration task. To activate this table, you must enable it in Advanced Task Settings when you create the AWS DMS task. For detailed information, see https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Validating.html. DBA

Cut over in Route 53

Tasks

Title Description Skills Predecessor
Cut over to the encrypted RDS DB instance. At cutover, you can reconfigure your application to refer to the endpoints by changing the DNS TTL to a short value, and eventually replacing the endpoint names in Route 53. DBA, App Owner

Miscellaneous

Best practices for using this pattern:

  • Enable logical replication by setting the rds.logical_replication parameter to 1 in the parameter group for your DB instance.

  • For a smooth cutover, use Amazon Route 53 to route traffic to the application instead of using direct endpoints.

  • Avoid making changes or updating the schema, procedures, and functions in the unencrypted RDS DB instance after you create the snapshot.

References and Help

References

Contact and help Pattern Library Support: aws-mpl@amazon.com