Data at Rest Encryption with Amazon RDS - AWS Key Management Service Best Practices

Data at Rest Encryption with Amazon RDS

Amazon Relational Database Service (RDS) builds on Amazon EBS encryption to provide full disk encryption for database volumes. When you create an encrypted database instance with Amazon RDS, Amazon RDS creates an encrypted EBS volume on your behalf to store the database. Data stored at rest on the volume, database snapshots, automated backups, and read replicas are all encrypted under the KMS CMK that you specified when you created the database instance.

Similar to Amazon EBS, you can set up an AWS Lambda function to monitor for the creation of new RDS instances via the CreateDBInstance API call via CloudTrail. Within the CreateDBInstance event, ensure that KmsKeyId parameter is set to the expected CMK.