Today Amazon RDS for MySQL and PostgreSQL released support for database encryption using AWS Key Management Service (KMS). This feature addresses a common request from customers who have asked for an easy way to encrypt data in these RDS database types.
When you create a new MySQL or PostgreSQL database instance, you can choose to enable encryption for that instance. In the AWS Management Console, click "Launch DB Instance" and select the "Enable Encryption" drop-down in the Database Options section of the fourth step (Configure Advanced Settings). You can use the default RDS encryption key in your account or select a key you created using KMS. Once you have created your instance, all encryption and decryption is handled transparently by Amazon RDS with no additional action required. The underlying database storage is encrypted, as are its automated backups, read replicas, and snapshots. Encryption and decryption are handled transparently so you don’t have to modify your application to access your data.
The screenshot below shows how this configuration option looks in the AWS Management Console when launching a new RDS instance.
Encryption in Amazon RDS is also integrated with AWS CloudTrail to help you understand how and when a KMS key in your account was used to encrypt or decrypt your database. Both the volume ID and the database resource ID are logged for each request to use your KMS key so you can search against these values in your AWS CloudTrail logs.