Amazon #RDS now supports encryption via #AWS Key Management Service

Today Amazon for MySQL and PostgreSQL released support for database encryption using Key Management Service (KMS). This feature addresses a common request from customers who have asked for an easy way to encrypt data in these RDS database types.

When you create a new MySQL or PostgreSQL database instance, you can choose to enable encryption for that instance. In the AWS Management Console, click "Launch DB Instance" and select the "Enable Encryption" drop-down in the Database Options section of the fourth step (Configure Advanced Settings). You can use the default RDS encryption key in your account or select a key you created using KMS. Once you have created your instance, all encryption and decryption is handled transparently by Amazon RDS with no additional action required. The underlying database storage is encrypted, as are its automated backups, read replicas, and snapshots. Encryption and decryption are handled transparently so you don’t have to modify your application to access your data.

The screenshot below shows how this configuration option looks in the AWS Management Console when launching a new RDS instance.

RDS encryption configuration in AWS Management Console

Encryption in Amazon RDS is also integrated with AWS CloudTrail to help you understand how and when a KMS key in your account was used to encrypt or decrypt your database. Both the volume ID and the database resource ID are logged for each request to use your KMS key so you can search against these values in your AWS CloudTrail logs.

For more detail on how Amazon RDS for MySQL or PostgreSQL supports encryption, visit Encryption Overview in the Amazon RDS User Guide and the Amazon RDS section of the AWS KMS Developer Guide.

Related posts