Relational Database Service(RDS) Encryption

Relational Database Service(RDS)

RDS allows you to set up a relational database using PostgreSQL, MySQL, MariaDB, Oracle, MS SQL Server, and Amazon Aurora.

  • During the creation of your RDS database, you may enable encryption at the Configure Advanced Settings screen
  • Keys can be issued by KMS using AES-256
  • It’s not possible to set encryption after your database being created. It has to be done during a creation.

Encryption an exiting database

To encrypt an unencrypted database after it has been created:

  • Create a snapshot of your unencrypted database
  • Create an encrypted copy of the snapshot
  • Use the encrypted snapshot to create a new database
  • Finally, your database is encrypted!

RDS Encryption

  • If the KMS key is disabled, you will not be able to read or write to your database and RDS will move its instances into a terminal state
  • You will need to restate the KMS key and recover your database from a backup
  • Read replicas follow the same encryption pattern as defined by the database source. For example, if your database had encrypted at rest enabled, then the read replica will also be encrypted.

RDS Encryption Mechanisms

There are additional encryption mechanisms that can be used for data at rest:

  • Oracle and SQL Server Transparent Data Encryption(TDE)
  • MySQL cryptographic functions
  • Microsoft Transact-SQL cryptographic functions

RDS Option Groups

To use the TDE method, the database must be associated with an option group

  • Option groups provide default settings for your database and help with the management
  • Option groups exist for the following database engines and versions: Oracle, SQL Server, MariaDB, MySQL
  • You must add the options Oracle Transparent Data Encryption to the group

TDE Encryption Modes

TDE can use two different encryption modes:

  • TDE tablespace encryption
  • TDE Column encryption

Encryption in Transit

You can secure the communication using SSL/TLS

  • This is recommended if you have to abide by specific compliance and governance controls or when the data is highly sensitive
  • The method in which this process is carried out varies depending on your database engine type
  • Check out a document for more information

RDS Encryption with Oracle

You can also use Oracle’s Native Network Encryption(NNE)

  • It will encrypt all connections with the database
  • It is not possible to use SSL and NNE together
  • To enable, you must add NATIVE_NETWORK_ENCRYPTION to the database options group
  • Check out a document for more information
Nadtakan Futhoem — Sr. Software Engineer




Founder of & Serverless Cloud developer. Follow me on Twitter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Four reasons to increase privacy awareness in a corporate environment

Pharma Spam-Virus

Circlepod Protocol Newsletter #w4

{UPDATE} Limusine Multi andares de estacionamento – simulad Hack Free Resources Generator

How Does RFID Asset Tracking Work?

{UPDATE} Perfect Goal 3D Hack Free Resources Generator

Rapids Network Update!

Overview of Encryption Data with AWS

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nadtakan Futhoem

Nadtakan Futhoem

Founder of & Serverless Cloud developer. Follow me on Twitter

More from Medium

Bottlerocket: Operating System to Run Containers

Rollback faster without deploy access!

How We Provide a Large Number of Cloud Services and Clusters and Live to Tell the Tale

Bursting MongoDB to a Remote Kubernetes Clusters in Minutes — Part 2