Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Encryption of RDS instances becomes very crucial as part of overall security posture.
It is recommended that your RDS instance should be always encrypted in order to prevent potential leak or misuse of sensitive data and security threats.
- To enable encryption for a new DB instance, choose Enable encryption on the Amazon RDS console. For information on creating a DB instance, see Creating an Amazon RDS DB Instance.
- If you use the create-db-instance AWS CLI command to create an encrypted DB instance, set the --storage-encrypted parameter to true. If you use the CreateDBInstance API operation, set the StorageEncrypted parameter to true.
- When you create an encrypted DB instance, you can also supply the AWS KMS key identifier for your encryption key. If you don't specify an AWS KMS key identifier, then Amazon RDS uses your default encryption key for your new DB instance. AWS KMS creates your default encryption key for Amazon RDS for your AWS account. Your AWS account has a different default encryption key for each AWS Region.
- Once you have created an encrypted DB instance, you can't change the type of encryption key used by that DB instance. Therefore, be sure to determine your encryption key requirements before you create your encrypted DB instance.
- If you use the AWS CLI create-db-instance command to create an encrypted DB instance, set the --kms-key-id parameter to the Amazon Resource Name (ARN) for the AWS KMS encryption key for the DB instance. If you use the Amazon RDS API CreateDBInstance action, set the KmsKeyId parameter to the ARN for your AWS KMS key for the DB instance.
- You can use the ARN of a key from another account to encrypt a DB instance. Or you might create a DB instance with the same AWS account that owns the AWS KMS encryption key used to encrypt that new DB instance. In this case, the AWS KMS key ID that you pass can be the AWS KMS key alias instead of the key's ARN.