How do I encrypt Amazon RDS snapshots using a KMS key?

2 minute read
0

I've enabled encryption on an unencrypted Amazon Relational Database Service (RDS) instance, and I want to take an encrypted snapshot of that instance. How do I take an encrypted snapshot of my RDS instance?

Resolution

You can't take an encrypted snapshot of an unencrypted DB instance. However, you can perform a workaround that achieves the same results. The following steps are applicable to Amazon RDS for MySQL, Oracle, SQL Server, PostgreSQL, or MariaDB.

Important: If you use Amazon Aurora, you can restore an unencrypted Aurora DB cluster snapshot to an encrypted Aurora DB cluster. However, you must specify an AWS Key Management Service (AWS KMS) encryption key when you restore from the unencrypted DB cluster snapshot. For more information, see Limitations of Amazon RDS encrypted DB instances.

1.    Open the Amazon RDS console, and then choose Snapshots from the navigation pane.

2.    Select the snapshot that you want to encrypt.

3.    Under Snapshot Actions, choose Copy Snapshot.

4.    Choose your Destination Region, and then enter your New DB Snapshot Identifier.

5.    Change Enable Encryption to Yes.

6.    Select your AWS KMS Key from the list.

7.    Choose Copy Snapshot.

After the snapshot status is available, the Encrypted field is set to "True" to indicate that the snapshot is encrypted. You can now use this encrypted DB snapshot to restore the DB instance from the DB snapshot.


Related information

Creating a DB snapshot

Encrypting Amazon RDS resources