Encrypt Existing AWS RDS Cluster or Instance
Data Security is one of the most important factor in the world of modern technology. People are moving from traditional based systems to smart systems and it is very important that Sensitive Data needs to saved with advanced security algorithms.
Amazon Relational Database Service (Amazon RDS) is a fully managed web service that makes it easier to set up, operate, and scale your relational database in the cloud. It is very cost-efficient, reliable and easy to manage database as a service.
Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently, with minimal impact on performance. You don’t need to modify your database client applications to use encryption.
You can enable encryption for an Amazon RDS DB instance when you create it, but not after it’s created. However, there are different ways in which you can achieve this and in this blog post I will explain different methods of Enabling Encryption on Existing AWS RDS Cluster or Instance/s.
Let’s get started
Snapshot Approach:
As you are aware that we can not enable encryption on existing RDS directly we can use this method to enable encryption. This method requires downtime depending on the data size.
Steps:
- Stop writes on your database by stopping all the applications which are writing on the database. (This will ensure data consistency)
- Take snapshot of your database cluster or instance and wait until it is in available state
- Copy the snapshot and enable encryption. You can use either default KMS key or your own KMS key
- Create new RDS database cluster or instance from the “encrypted snapshot” and wait for it to become available
- Update your application to point to new encrypted RDS
Congratulations!! Now your data is encrypted at rest. You can use this
Advantages:
- Easy to implement
- No additional task is required
- Can be done in few clicks
Disadvantages:
- Downtime starts form step 1 and remains till end, and from creating snapshot to its restoration application should not make any write operations on the database
- Depending on the size of data creating snapshot and restoring the encrypted snapshot can take longer time
- Encrypted Snapshot becomes bottleneck if you are managing your infrastructure using CloudFormation / Terraform because during updates you have to always pass the encrypted snapshot Id, or else new blank RDS will be created
Data Migration Approach:
In this approach instead on relaying on snapshot we choose to migrate the data from one cluster/instance to another. There are multiple ways in which we can do data migration. The downtime depends on the migration approach you choose.
Steps:
- Create New Blank RDS Cluster / Instance with encryption enabled, You can do it either by few click in AWS Console or using IaaC tools
- Migrate Data from Source RDS (Unencrypted) to Target RDS (Encrypted)
There are different ways using which you can do Data Migration.
- Using Native PostgreSQL Tool: You can use pg_dump and pg_restore to migrate data from Source to Target RDS. Use this method when your database size is small OR your business allows downtime of few hours
- Stop writes on your source database
- Use following command to take dump from Source
pg_dump -h <source_endpoint> -U <source_user_name> -d <source_db_name> --verbos --jobs 4 -Fd -f <path_to_directory>
The number in jobs argument depends on the number of cores available on server. - Use following command to restore data into Target
pg_restore -h <target_endpoint> -U <target_user_name> -d <target_db_name> --verbose --jobs 4 -Fd <path_to_directory>
The number in jobs argument depends on the number of cores available on server. - Validate the data in the Target
- Using AWS DMS: AWS DMS is great tool for data migration and during migration your application can write to database and DMS will take care of migrating changed data during migration.
You can refer my blog on how to use DMS for data migration.
In this blog I have explained how you can use DMS to perform major version upgrade of Aurora PostgreSQL cluster but the bottom line is to migrate data from source to target cluster. You can either do major version upgrade or enable encryption or you can do both the things together.
Congratulations!! You have enabled encryption at rest for your RDS and your sensitive data is secured with advanced encryption algorithm.
