RDS Encryption

  • RDS can encrypt your Amazon RDS database instances.

    • Data that is encrypted at rest includes the underlying storage for database instances, its automated backups, read replicas, and snapshots.

  • RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances.

  • After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.

  • RDS also supports encrypting an Oracle or SQL Server DB instance with Transparent Data Encryption (TDE).

  • Snapshots of unencrypted databases are unencrypted.

  • Snapshots of encrypted databases are encrypted.

  • You can copy an unencrypted snapshot and turn it into an encrypted one.

  • Encrypt unencrypted RDS database: 1. Create a snapshot of the unencrypted database. 2. Encrypt the snapshot (using copy). 3. Restore the database from the encrypted snapshot. 4. Migrate applications to the new database.

  • You can use SSL or TLS from your application to encrypt a connection to a DB instance.

    • Each DB engine has its own process for implementing SSL/TLS.

Last updated