RDS database instance should be encrypted
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
Amazon RDS-encrypted database instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server hosting your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles the authentication of access and decryption of your data transparently with a minimal impact on performance.
Rationale
With RDS encryption enabled, the data stored on the instance’s underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.
From the console
Follow the Enabling Amazon RDS encryption for a DB instance documentation to ensure your database instances are encrypted.
From the command line
Run describe-db-instances
with an instance identifier query to list RDS database names.
aws rds describe-db-instances \
--query 'DBInstances[*].DBInstanceIdentifier'
Run create-db-snapshot
with any returned database instance you wish to modify.
aws rds create-db-snapshot \
--db-snapshot-identifier <insert-db-snapshot-id> \
--db-instance-identifier <insert-db-id>
Run list-aliases
to list KMS keys aliases by region.
aws kms list-aliases \
--region <insert-region>
Run copy-db-snapshot
with the kms-key-id
returned in step 3.
aws rds copy-db-snapshot \
--region <insert-region> \
--source-db-snapshot-identifier <insert-original-db-snapshot-id> \
--target-db-snapshot-identifier <insert-encrypted-db-snapshot-id> \
--copy-tags \
--kms-key-id <insert-kms-key-id>
Run restore-db-instance-from-db-snapshot
to restore the previously created snapshot.
aws rds restore-db-instance-from-db-snapshot \
--region <insert-region> \
--db-instance-identifier <insert-encrypted-db-id> \
--db-snapshot-identifier <insert-encrypted-db-snapshot-id>
Run describe-db-instances
with a query to ensure database encryption.
aws rds describe-db-instances \
--region <insert-region> \
--db-instance-identifier <insert-encrypted-db-snapshot-id> \
--query 'DBInstances[*].StorageEncrypted'