Encrypt an unencrypted RDS DB instance
When you enable the Encrypt option for Amazon RDS Resources, you are able to encrypt the following data with the AES-256 encryption algorithm.
Note: Please confirm this document Encrypting Amazon RDS Resources about available instance class and limitations.
- DB instances
- Automated backups
- Read Replicas
- Snapshots
- Logs
The Encrypt option can be enabled only when you are launching the DB instance; it cannot be enabled after launch. However, copies of unencrypted snapshots can be encrypted.
Therefore, you can restore an encrypted instance from the encrypted snapshot you copied. In this time, we will show you how to create an unencrypted instance with the Encrypt option.
Overview
- We want to encrypt a MySQL engine DB instance that did not enable the Encrypt option.
- We do not want to change the endpoint.
How to encrypt existing db instance
Step1: Take a snapshot from existing db instance
- Select target instance.
- Click Take snapshot from Instance actions.
- Input snapshot name.
- Click Take Snapshot.
Step2: Encrypt the snapshot and make a copy of the snapshot
- From Snapshots section, select the snapshot you took earlier.
- Click Copy Snapshot from Actions of Snapshots.
- Input
New DB Snapshot Identifer. - Click
Enable encryption. - Select
Master key. - Click Copy Snapshot.
Step3: Restore DB instance from encrypted snapshot
- From Snapshots section, select the encrypted snapshot from earlier.
- Click Restore Snapshot from Actions of Snapshots.
- Type
New DB Snapshot Identifier. - Make various settings the same as the original DB instance.
- Click Restore DB Instance.
Step4: Change existing DB instance name
- From Instances section, select the original DB instance.
- Click Modify.
- Input
DB instance identifier. - Click Next.
Check the change summary and confirm that the DB Instance Identifier, Endpoint is changed.
- Click Apply immediately.
- Click Modify DB Instance.
Step5: Change the restored DB instance name to the original DB instance name
- From Instances section, select the restored DB instance.
- Click Modify.
- Input
the original instance namein the DB instance identifier. - Select the same DB parameter group as
the original instance. - Select the same security group as
the original instance. - Click Next.
Note:
Since the instance restored from the snapshot is the default DB parameter group and security group, we changed the DB parameter group and security group here as well.
Check the change summary and confirm that the DB Instance Identifier, Endpoint, Security group, DB parameter group is changed.
- Click Apply immediately.
- Click Modify DB Instance.
Step6: Confirm
When the instance starts up, the work is completed. It can be confirmed that Encryption enabled is Yes.
Step7: Delete the original DB instance
If there is no problem, delete the original DB instance. If you do not need the manual snapshot created earlier, delete it.
Appendix: AWS CLI for each step
Step0: Take a DB instance info
aws rds describe-db-instances \
--db-instance-identifier <value> \
> before.txt
Step1: Take a snapshot from existing db instance
AWS CLI Command Reference| create-db-snapshot
aws rds create-db-snapshot \
--db-instance-identifier <value> \
--db-snapshot-identifier <value>
Step2: Encrypt the snapshot and make a copy of the snapshot
AWS CLI Command Reference | copy-db-snapshot
aws rds copy-db-snapshot \
--source-db-snapshot-identifier <value> \
--target-db-snapshot-identifier <value> \
--copy-tags \
--kms-key-id <value>
Step3: Restore DB instance from encrypted snapshot
AWS CLI Command Reference | restore-db-instance-from-db-snapshot
aws rds restore-db-instance-from-db-snapshot \
--db-instance-identifier <value> \
--db-snapshot-identifier <value> \
--db-subnet-group-name <value> \
--db-instance-class <value>
Step4: Change existing DB instance name
AWS CLI Command Reference | modify-db-instance
aws rds modify-db-instance \
--db-instance-identifier <value> \
--new-db-instance-identifier <value> \
--apply-immediately
Step5: Change the restored DB instance name to the original DB instance name
AWS CLI Command Reference | modify-db-instance
aws rds modify-db-instance \
--db-instance-identifier <value> \
--new-db-instance-identifier <value> \
--db-parameter-group-name <value> \
--vpc-security-group-ids <value> \
--apply-immediately
Step6: Confirm
"StorageEncrypted": Make sure that it is true, that the other values are the same.
aws rds describe-db-instances \
--db-instance-identifier <value> \
> after.txt
diff before.txt after.txt
Conclusion
This time we showed you how to create a DB instance with the Encrypt option enabled from the snapshot copied from the original DB Instance that did not enable encryption. Even if you do not want to change the endpoint, it is possible to deal with it, so why not consider adding encryption?
