End-to-End Amazon RDS Snapshot Encryption with AWS KMS and CMKs

Introduction

Encryption plays a pivotal role when securing data at rest in the cloud. Amazon RDS (Relational Database Service) provides built-in support for encrypting your database instances, snapshots, read replicas, and automated backups using AWS Key Management Service (KMS).

In this blog, we will dive deep into how to encrypt Amazon RDS snapshots, especially how to do so using your own customer-managed KMS keys (CMKs) and explore best practices to ensure your database backups remain secure, compliant, and auditable.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Why Encrypt Amazon RDS Snapshots?

Encrypting Amazon RDS snapshots ensures that data stored in backups is unreadable to unauthorized users, even if access to the snapshot is somehow obtained. It helps:

Protect sensitive and regulated data
Prevent data leaks or misuse in the event of misconfigured access
Use fine-grained access control via AWS KMS

Remember: Encryption in Amazon RDS is a one-way process, once a snapshot is encrypted, it cannot be unencrypted.

rds

How Amazon RDS Encryption Works?

Amazon RDS uses envelope encryption:

Data is encrypted using a data key.
Data key is encrypted using an AWS KMS key (AWS-managed or customer-managed).
Encrypted snapshots inherit encryption from the DB instance or use a specified AWS KMS key if copied.

Amazon RDS supports encryption for the following engines:

Amazon Aurora
MySQL
PostgreSQL
MariaDB
Oracle
SQL Server

Use Case: Encrypting an Existing Unencrypted Snapshot

You cannot directly encrypt an unencrypted DB snapshot. Instead, you must:

Restore the unencrypted snapshot to a new DB instance.
Create a new encrypted snapshot using an AWS KMS CMK from this DB instance.

Let us go step by step.

Step 1: Restore an Unencrypted Snapshot

Go to the Amazon RDS Console.
Select Snapshots -> Choose your unencrypted snapshot.
Click Actions -> Restore Snapshot.
Configure your new DB instance (instance type, VPC, storage, etc.).
Leave the encryption setting blank, since the original snapshot is unencrypted.

This creates a new running DB instance from the unencrypted snapshot.

Step 2: Copy the DB Snapshot and Enable Encryption

Once the new DB instance is available:

Go to the Snapshots section in Amazon RDS.
Select the snapshot of the new instance.
Click Actions -> Copy Snapshot.
In the Copy Snapshot dialog:
1. Check Enable Encryption.
2. Under Master Key, select:
  1. AWS-managed key: aws/rds, or
  2. Customer-managed CMK (recommended for better control and auditability)

5. Provide a unique name for the new snapshot, then click Copy Snapshot.

Now, you have an encrypted RDS snapshot using an AWS KMS key of your choice.

Creating a Customer-Managed AWS KMS Key (CMK)

If you haven’t already created an AWS KMS CMK, follow these steps:

Open the AWS KMS Console.
Click Create Key.
Choose:
1. Symmetric key (default for RDS)
2. Key usage: Encrypt and decrypt
Add an alias (e.g., alias/rds-backup-key)
Add key administrators and users (IAM roles or users who can use the key)
Complete the creation.

This key will now appear in the Amazon RDS snapshot encryption options.

Only AWS IAM identities with appropriate kms:Encrypt, kms:Decrypt, and kms:CreateGrant permissions can use this key.

Copying Encrypted Snapshots Between Regions

You can also copy an encrypted Amazon RDS snapshot across regions, which is useful for:

Disaster recovery
Cross-region backups
Geo-redundancy

Steps:

Select your encrypted snapshot.
Click Actions -> Copy Snapshot.
Choose the destination region.
Ensure encryption is enabled.
You can even choose a different AWS KMS key in the target region.

AWS IAM Policies: Grant Access to AWS KMS Key

To allow Amazon RDS to use the AWS KMS CMK for encryption/decryption, ensure your key policy or AWS IAM permissions include something like:

Josn:

{
  "Effect": "Allow",
  "Principal": {
    "Service": "rds.amazonaws.com"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:GenerateDataKey",
    "kms:CreateGrant"
  ],
  "Resource": "*"
}

Josn:

{

"Effect": "Allow",

"Principal": {

"Service": "rds.amazonaws.com"

"Action": [

"kms:Encrypt",

"kms:Decrypt",

"kms:GenerateDataKey",

"kms:CreateGrant"

"Resource": "*"

}

Also ensure your DB admins have permissions to use rds:CopyDBSnapshot.

Verifying Snapshot Encryption

To check if a snapshot is encrypted:

Open Amazon RDS Console → Snapshots.
Look for the “Encrypted”
If it shows Yes, the snapshot is encrypted.

You can also verify via AWS CLI:

aws rds describe-db-snapshots \
  --db-snapshot-identifier my-snapshot-id \
  --query 'DBSnapshots[*].[DBSnapshotIdentifier,Encrypted,KmsKeyId]'

aws rds describe-db-snapshots \

--db-snapshot-identifier my-snapshot-id \

--query 'DBSnapshots[*].[DBSnapshotIdentifier,Encrypted,KmsKeyId]'

Common Errors and Troubleshooting

table

Automating Snapshot Encryption (Optional)

You can automate snapshot copying and encryption using AWS Lambda and Amazon CloudWatch Events. For example:

Trigger AWS Lambda on new unencrypted snapshot
Restore → Copy snapshot with encryption → Delete temporary DB instance

This is especially useful in environments with:

Legacy unencrypted snapshots
Audit requirements for automated encryption
Multi-account or multi-region backup strategies

rds2

Conclusion

Encrypting your Amazon RDS snapshots using AWS KMS customer-managed keys (CMKs) is critical for securing your data and meeting compliance requirements. AWS makes it easy to implement, and with automation, you can ensure zero-touch security for all your database backups.

Whether operating in a highly regulated industry or just wanting peace of mind, encrypting snapshots should be part of your standard AWS security strategy.

Drop a query if you have any questions regarding Amazon RDS snapshots and we will get back to you quickly.

Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.

Reduced infrastructure costs
Timely data-driven decisions

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.