Remediation

Encrypt a Snapshot

To encrypt an unencrypted AWS RDS snapshot, create an encrypted copy of the existing snapshot using a KMS key, then remove the original unencrypted version.

From Command Line

Create an encrypted copy of the snapshot:

aws rds copy-db-snapshot \
    --source-db-snapshot-identifier {{source-snapshot-id}} \
    --target-db-snapshot-identifier {{new-snapshot-id}} \
    --kms-key-id {{kms-key-id}} \
    --copy-option-group \
    --copy-tags \
    --region {{region}}
     

Delete the original unencrypted snapshot (optional):

Once you have confirmed that the encrypted snapshot is available, delete the original unencrypted snapshot.
```
aws rds delete-db-snapshot \
    --db-snapshot-identifier {{source-snapshot-id}} \
    --region {{region}}
```

Encrypt a Snapshot​

From Command Line​

Encrypt a Snapshot

From Command Line