Remediation

Encrypt the Cluster

From Command Line

To encrypt an existing unencrypted RDS cluster, follow these steps:

Create a snapshot of the unencrypted cluster:

aws rds create-db-cluster-snapshot \
    --db-cluster-identifier {{unencrypted-cluster-id}} \
    --db-cluster-snapshot-identifier {{snapshot-id}}

Copy the snapshot with encryption enabled:

aws rds copy-db-cluster-snapshot \
--source-db-cluster-snapshot-identifier {{snapshot-id}} \
    --target-db-cluster-snapshot-identifier {{encrypted-snapshot-id}} \
    --kms-key-id {{your-kms-key-id}}

Restore the encrypted snapshot to a new cluster:

aws rds restore-db-cluster-from-snapshot \
    --db-cluster-identifier {{new-encrypted-cluster-id}} \
    --snapshot-identifier {{encrypted-snapshot-id}} \
    --engine {{engine-name}}

Update application connection strings to point to the new encrypted cluster.

Delete the old unencrypted cluster after confirming successful migration:

aws rds delete-db-cluster \
    --db-cluster-identifier {{unencrypted-cluster-id}} \
    --skip-final-snapshot

Encrypt the Cluster​

From Command Line​

Encrypt the Cluster

From Command Line