AWS Security Blog

Amazon RDS Now Supports Encryption via AWS Key Management Service

Today, Amazon RDS for MySQL and PostgreSQL released support for database encryption using AWS Key Management Service (KMS). This feature addresses a common request from customers who have asked for an easy way to encrypt data in these RDS database types.

When you create a new MySQL or PostgreSQL database instance, you can choose to enable encryption for that instance. In the AWS Management Console, click Launch DB Instance, and select the Enable Encryption drop-down list in the Database Options section of the fourth step (Configure Advanced Settings). You can use the default RDS encryption key in your account, or select a key you created using KMS. After you have created your instance, all encryption and decryption is handled transparently by RDS with no additional action required. The underlying database storage is encrypted, as are its automated backups, read replicas, and snapshots. Encryption and decryption are handled transparently so that you don’t have to modify your application to access your data. 

The following screenshot shows how this configuration option looks in the AWS Management Console when launching a new RDS instance.

Screenshot of the RDS encryption configuration in AWS Management Console

Encryption in Amazon RDS is also integrated with AWS CloudTrail to help you understand how and when a KMS key in your account was used to encrypt or decrypt your database. Both the volume ID and the database resource ID are logged for each request to use your KMS key so that you can search against these values in your AWS CloudTrail logs.

For more detail about how Amazon RDS for MySQL or PostgreSQL supports encryption, go to Encrypting Amazon RDS Resources and the Amazon RDS section of the AWS KMS Developer Guide.

– Ken