Relational Database Service(RDS) Encryption
2 min readJul 16, 2021
RDS allows you to set up a relational database using PostgreSQL, MySQL, MariaDB, Oracle, MS SQL Server, and Amazon Aurora.
- During the creation of your RDS database, you may enable encryption at the Configure Advanced Settings screen
- Keys can be issued by KMS using AES-256
- It’s not possible to set encryption after your database being created. It has to be done during a creation.
Encryption an exiting database
To encrypt an unencrypted database after it has been created:
- Create a snapshot of your unencrypted database
- Create an encrypted copy of the snapshot
- Use the encrypted snapshot to create a new database
- Finally, your database is encrypted!
RDS Encryption
- If the KMS key is disabled, you will not be able to read or write to your database and RDS will move its instances into a terminal state
- You will need to restate the KMS key and recover your database from a backup
- Read replicas follow the same encryption pattern as defined by the database source. For example, if your database had encrypted at rest enabled, then the read replica will also be encrypted.
RDS Encryption Mechanisms
There are additional encryption mechanisms that can be used for data at rest:
- Oracle and SQL Server Transparent Data Encryption(TDE)
- MySQL cryptographic functions
- Microsoft Transact-SQL cryptographic functions
RDS Option Groups
To use the TDE method, the database must be associated with an option group
- Option groups provide default settings for your database and help with the management
- Option groups exist for the following database engines and versions: Oracle, SQL Server, MariaDB, MySQL
- You must add the options Oracle Transparent Data Encryption to the group
TDE Encryption Modes
TDE can use two different encryption modes:
- TDE tablespace encryption
- TDE Column encryption
Encryption in Transit
You can secure the communication using SSL/TLS
- This is recommended if you have to abide by specific compliance and governance controls or when the data is highly sensitive
- The method in which this process is carried out varies depending on your database engine type
- Check out a document for more information
RDS Encryption with Oracle
You can also use Oracle’s Native Network Encryption(NNE)
- It will encrypt all connections with the database
- It is not possible to use SSL and NNE together
- To enable, you must add NATIVE_NETWORK_ENCRYPTION to the database options group
- Check out a document for more information