End-to-End Amazon RDS Snapshot Encryption with AWS KMS and CMKs

Introduction

Encryption plays a pivotal role when securing data at rest in the cloud. Amazon RDS (Relational Database Service) provides built-in support for encrypting your database instances, snapshots, read replicas, and automated backups using AWS Key Management Service (KMS).

In this blog, we will dive deep into how to encrypt Amazon RDS snapshots, especially how to do so using your own customer-managed KMS keys (CMKs) and explore best practices to ensure your database backups remain secure, compliant, and auditable.

Why Encrypt Amazon RDS Snapshots?

Encrypting Amazon RDS snapshots ensures that data stored in backups is unreadable to unauthorized users, even if access to the snapshot is somehow obtained. It helps:

• Protect sensitive and regulated data
• Prevent data leaks or misuse in the event of misconfigured access
• Use fine-grained access control via AWS KMS

Remember: Encryption in Amazon RDS is a one-way process, once a snapshot is encrypted, it cannot be unencrypted.

How Amazon RDS Encryption Works?

Amazon RDS uses envelope encryption:

• Data is encrypted using a data key.
• Data key is encrypted using an AWS KMS key (AWS-managed or customer-managed).
• Encrypted snapshots inherit encryption from the DB instance or use a specified AWS KMS key if copied.

Amazon RDS supports encryption for the following engines:

• Amazon Aurora
• MySQL
• PostgreSQL
• MariaDB
• Oracle
• SQL Server

Use Case: Encrypting an Existing Unencrypted Snapshot

You cannot directly encrypt an unencrypted DB snapshot. Instead, you must:

1. Restore the unencrypted snapshot to a new DB instance.
2. Create a new encrypted snapshot using an AWS KMS CMK from this DB instance.

Let us go step by step.

Step 1: Restore an Unencrypted Snapshot

1. Go to the Amazon RDS Console.
2. Select Snapshots -> Choose your unencrypted snapshot.
3. Click Actions -> Restore Snapshot.
4. Configure your new DB instance (instance type, VPC, storage, etc.).
5. Leave the encryption setting blank, since the original snapshot is unencrypted.

This creates a new running DB instance from the unencrypted snapshot.

Step 2: Copy the DB Snapshot and Enable Encryption

Once the new DB instance is available:

1. Go to the Snapshots section in Amazon RDS.
2. Select the snapshot of the new instance.
3. Click Actions -> Copy Snapshot.
4. In the Copy Snapshot dialog:
   1. Check Enable Encryption.
   2. Under Master Key, select:
      1. AWS-managed key: aws/rds, or
      2. Customer-managed CMK (recommended for better control and auditability)

5. Provide a unique name for the new snapshot, then click Copy Snapshot.

Now, you have an encrypted RDS snapshot using an AWS KMS key of your choice.

Creating a Customer-Managed AWS KMS Key (CMK)

If you haven’t already created an AWS KMS CMK, follow these steps:

1. Open the AWS KMS Console.
2. Click Create Key.
3. Choose:
   1. Symmetric key (default for RDS)
   2. Key usage: Encrypt and decrypt
4. Add an alias (e.g., alias/rds-backup-key)
5. Add key administrators and users (IAM roles or users who can use the key)
6. Complete the creation.

This key will now appear in the Amazon RDS snapshot encryption options.

Only AWS IAM identities with appropriate kms:Encrypt, kms:Decrypt, and kms:CreateGrant permissions can use this key.

Copying Encrypted Snapshots Between Regions

You can also copy an encrypted Amazon RDS snapshot across regions, which is useful for:

• Disaster recovery
• Cross-region backups
• Geo-redundancy

Steps:

1. Select your encrypted snapshot.
2. Click Actions -> Copy Snapshot.
3. Choose the destination region.
4. Ensure encryption is enabled.
5. You can even choose a different AWS KMS key in the target region.

AWS IAM Policies: Grant Access to AWS KMS Key

To allow Amazon RDS to use the AWS KMS CMK for encryption/decryption, ensure your key policy or AWS IAM permissions include something like:

Also ensure your DB admins have permissions to use rds:CopyDBSnapshot.

Verifying Snapshot Encryption

To check if a snapshot is encrypted:

1. Open Amazon RDS Console → Snapshots.
2. Look for the “Encrypted”
3. If it shows Yes, the snapshot is encrypted.

You can also verify via AWS CLI:

Common Errors and Troubleshooting

Automating Snapshot Encryption (Optional)

You can automate snapshot copying and encryption using AWS Lambda and Amazon CloudWatch Events. For example:

• Trigger AWS Lambda on new unencrypted snapshot
• Restore → Copy snapshot with encryption → Delete temporary DB instance

This is especially useful in environments with:

• Legacy unencrypted snapshots
• Audit requirements for automated encryption
• Multi-account or multi-region backup strategies

Conclusion

Whether operating in a highly regulated industry or just wanting peace of mind, encrypting snapshots should be part of your standard AWS security strategy.

Drop a query if you have any questions regarding Amazon RDS snapshots and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner,  AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.