RDS snapshots can be unencrypted or they can be encrypted at rest. Today, best practice is to use encryption-at-rest on your RDS instances and clusters, and to encrypt your RDS snapshots.
When you create an RDS snapshot from an RDS instance or cluster, the resulting snapshot will be encrypted if the source instance or cluster is encrypted. But if the source is not encrypted, then your RDS snapshot is not encrypted. When you create an RDS snapshot, you are not given the option to encrypt it.
However, when you copy an RDS snapshot, you can add or change the KMS keys used. So, if you have an unencrypted RDS snapshot that you want to encrypt, you can encrypt it by copying it, encrypting it along the way.
To encrypt an unencrypted RDS snapshot using the AWS Management Console, you can follow these steps:
Step 1: Find the snapshot that you want to encrypt, and select it by clicking the checkbox next to it’s name. You can select a “manual” snapshot, or one of the “automatic” snapshots that are prefixed by “rds:”.
Step 2: From the “Snapshot Actions” menu, select “Copy Snapshot”.
Step 3: On the page that appears:
Step 4: Wait for the snapshot to complete.
Once the copy is initiated, you should return to the RDS snapshots page. Your new snapshot should appear in the list with a status of “creating”. The snapshot’s status will become “available” once the copy process is complete.
If you want to encrypt your RDS snapshot using the AWS CLI, it can be done using the following command:
aws rds copy-db-snapshot \ --source-db-snapshot-identifier my-source-snapshot \ --target-db-snapshot-identifier target-snapshot \ --kms-key-id <kms key>
The KMS key used in this command can be either:
If your RDS snapshot is an Aurora cluster snapshot, then use
copy-db-cluster-snapshot instead of
copy-db-snapshot in the command above.