Support Documents

How to Encrypt an Unencrypted RDS DB Instance

Lab Details

  1. This lab walks you through the steps to create an unencrypted instance with the Encrypt option.

  2. You will practice this lab by not enabling the encryption of DB Instance while creating.

  3. Duration: 1 hour 20 minutes

  4. AWS Region: US East (N. Virginia) us-east-1


  1. Amazon RDS can encrypt your Amazon RDS DB Instances.

  2. When the encrypt option is enabled for the AWS RDS Resources, we are able to encrypt DB Instances, Automated Backups, Read replicas, Snapshots and Logs.

  3. Amazon RDS encrypted DB instances use the AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances.

  4. The Encrypt option can be enabled only when you are launching the DB instance, it cannot be enabled after launch. However, copies of unencrypted snapshots can be encrypted.

Architecture Diagram

Task Details

  1. Log into AWS Management Console.

  2. Create an Amazon RDS DB Instance (without enabling encrypt option).

  3. Take a snapshot from an existing DB Instance.

  4. Make a copy of the snapshot and encrypt it.

  5. Restore DB Instance from the encrypted snapshot.

  6. Change the name of the original DB Instance.

  7. Change the name of the Restored DB Instance to the original DB Instance name.

  8. Delete the original RDS Instance and snapshot.

  9. Validation of the lab.

  10. Deleting AWS Resources

Case Study

  1. Suppose we have created an RDS DB Instance without enabling the encryption. As days passed by the project became bigger and began to store more sensitive data.

  2. As you are quite aware of security issues, you wanted to check on the AWS console that your database was well encrypted.

  3. Your database was totally Unencrypted. And when you check to encrypt the database, you have no option to encrypt the database.