Posted On: Feb 11, 2016
Starting today, in addition to sharing your unencrypted database snapshots, you can also share encrypted database snapshots with other AWS accounts. You may share an encrypted DB snapshot with up to 20 accounts via the RDS console, API and CLI. Encrypted snapshots can be shared within the same region only, and cannot be shared publicly for security reasons. Learn more about how to share encrypted database snapshots on the RDS documentation.
In addition to sharing encrypted database snapshots, you may also now add encryption at rest using KMS keys to a previously unencrypted database instance. To do this, you will need to copy a snapshot of the unencrypted database instance that you wish to encrypt. During the copy operation, you will have the option to add an encryption key. Once the copy operation is complete, you may restore a database instance from the copied snapshot, which will be encrypted using the key you specified. When the database instance is operational, simply point your application to this newly encrypted database instance. You may also use this method to change encryption keys for existing encrypted database instances. However, you cannot remove encryption from an encrypted database snapshot. To learn more about adding encryption or changing the encryption key for an existing DB instance, please refer to the RDS documentation.