Encrypt an unencrypted RDS DB instance

When you enable the Encrypt option for Amazon RDS Resources, you are able to encrypt the following data with the AES-256 encryption algorithm.

Note: Please confirm this document Encrypting Amazon RDS Resources about available instance class and limitations.

  • DB instances
  • Automated backups
  • Read Replicas
  • Snapshots
  • Logs

The Encrypt option can be enabled only when you are launching the DB instance; it cannot be enabled after launch. However, copies of unencrypted snapshots can be encrypted.

Therefore, you can restore an encrypted instance from the encrypted snapshot you copied. In this time, we will show you how to create an unencrypted instance with the Encrypt option.

Overview

  • We want to encrypt a MySQL engine DB instance that did not enable the Encrypt option.
  • We do not want to change the endpoint.

How to encrypt existing db instance

Step1: Take a snapshot from existing db instance

  • Select target instance.
  • Click Take snapshot from Instance actions.

画像

  • Input snapshot name.
  • Click Take Snapshot.

画像

Step2: Encrypt the snapshot and make a copy of the snapshot

  • From Snapshots section, select the snapshot you took earlier.
  • Click Copy Snapshot from Actions of Snapshots.

画像

  • Input New DB Snapshot Identifer.
  • Click Enable encryption.
  • Select Master key.
  • Click Copy Snapshot.

画像

Step3: Restore DB instance from encrypted snapshot

  • From Snapshots section, select the encrypted snapshot from earlier.
  • Click Restore Snapshot from Actions of Snapshots.

画像

  • Type New DB Snapshot Identifier.
  • Make various settings the same as the original DB instance.
  • Click Restore DB Instance.

画像

Step4: Change existing DB instance name

  • From Instances section, select the original DB instance.
  • Click Modify.

画像

  • Input DB instance identifier.
  • Click Next.

画像

Check the change summary and confirm that the DB Instance Identifier, Endpoint is changed.

  • Click Apply immediately.
  • Click Modify DB Instance.

画像

Step5: Change the restored DB instance name to the original DB instance name

  • From Instances section, select the restored DB instance.
  • Click Modify.

画像

  • Input the original instance name in the DB instance identifier.
  • Select the same DB parameter group as the original instance.
  • Select the same security group as the original instance.
  • Click Next.

Note:

Since the instance restored from the snapshot is the default DB parameter group and security group, we changed the DB parameter group and security group here as well.

Check the change summary and confirm that the DB Instance Identifier, Endpoint, Security group, DB parameter group is changed.

  • Click Apply immediately.
  • Click Modify DB Instance.

画像

Step6: Confirm

When the instance starts up, the work is completed. It can be confirmed that Encryption enabled is Yes.

画像

Step7: Delete the original DB instance

If there is no problem, delete the original DB instance. If you do not need the manual snapshot created earlier, delete it.

Appendix: AWS CLI for each step

Step0: Take a DB instance info

aws rds describe-db-instances \
    --db-instance-identifier <value> \
    > before.txt

Step1: Take a snapshot from existing db instance

AWS CLI Command Reference| create-db-snapshot

aws rds create-db-snapshot \
    --db-instance-identifier <value> \
    --db-snapshot-identifier <value>

Step2: Encrypt the snapshot and make a copy of the snapshot

AWS CLI Command Reference | copy-db-snapshot

aws rds copy-db-snapshot \
    --source-db-snapshot-identifier <value> \
    --target-db-snapshot-identifier <value> \
    --copy-tags \
    --kms-key-id <value>

Step3: Restore DB instance from encrypted snapshot

AWS CLI Command Reference | restore-db-instance-from-db-snapshot

aws rds restore-db-instance-from-db-snapshot \
      --db-instance-identifier <value> \
      --db-snapshot-identifier <value> \
      --db-subnet-group-name <value> \
      --db-instance-class <value>

Step4: Change existing DB instance name

AWS CLI Command Reference | modify-db-instance

aws rds modify-db-instance \
      --db-instance-identifier <value> \
      --new-db-instance-identifier <value> \
      --apply-immediately

Step5: Change the restored DB instance name to the original DB instance name

AWS CLI Command Reference | modify-db-instance

aws rds modify-db-instance \
      --db-instance-identifier <value> \
      --new-db-instance-identifier <value> \
      --db-parameter-group-name <value> \
      --vpc-security-group-ids <value> \
      --apply-immediately

Step6: Confirm

"StorageEncrypted": Make sure that it is true, that the other values are the same.

aws rds describe-db-instances \
    --db-instance-identifier <value> \
    > after.txt
diff before.txt after.txt

Conclusion

This time we showed you how to create a DB instance with the Encrypt option enabled from the snapshot copied from the original DB Instance that did not enable encryption. Even if you do not want to change the endpoint, it is possible to deal with it, so why not consider adding encryption?

References

Encrypting Amazon RDS Resources