Skip to main content

Cloud

RDS Migration: AWS-Managed to CMK Encryption

by on March 4th, 2025 | ~ minute read

Cybersecurity Concept Laptop

As part of security and compliance best practices, it is essential to enhance data protection by transitioning from AWS-managed encryption keys to Customer Managed Keys (CMK).

Business Requirement

During database migration or restoration, it is not possible to directly change encryption from AWS-managed keys to Customer-Managed Keys (CMK).

During migration, the database snapshot must be created and re-encrypted with CMK to ensure a secure and efficient transition while minimizing downtime. This document provides a streamlined approach to saving time and ensuring compliance with best practices.

P1

                        Fig: RDS Snapshot Encrypted with AWS-Managed KMS Key

 

Objective

This document aims to provide a structured process for creating a database snapshot, encrypting it with a new CMK, and restoring it while maintaining the original database configurations. This ensures minimal disruption to operations while strengthening data security.

  • Recovery Process
  • Prerequisites
  • Configuration Overview
  • Best Practices

 

Prerequisites

AI at Perficient
Revolutionize Your Business With Generative AI

From product design and software development to virtual agents, content creation, and reporting, GenAI is transforming business. Our AI experts help you unlock GenAI’s full potential and drive growth.

Let’s Get Started

Before proceeding with the snapshot and restoration process, ensure the following   prerequisites are met:

  1. AWS Access: You must have the IAM permissions to create, copy, and restore RDS snapshots.
  2. AWS KMS Key: Ensure you have a Customer-Managed Key (CMK) available in the AWS Key Management Service (KMS) for encryption.
  3. Database Availability: Verify that the existing database is healthy enough to take an accurate snapshot.
  4. Storage Considerations: Ensure sufficient storage is available to accommodate the snapshot and the restored instance.
  5. Networking Configurations: Ensure appropriate security groups, subnet groups, and VPC settings are in place.
  6. Backup Strategy: Have a backup plan in case of any failure during the process.

Configuration Overview

Step 1: Take a Snapshot of the Existing Database

  1. Log in to the AWS console with your credentials.
  2. Navigate to the RDS section where you manage database instances.
  3. Select the existing database for which you want to create the snapshot.
  4. Click on the Create Snapshot button.
  5. Provide a name and description for the snapshot, if necessary.
  6. Click Create Snapshot to initiate the snapshot creation process.
  7. Wait for the snapshot creation to complete before proceeding to the next step.

P2

Step 2: Copy Snapshot with New Encryption Keys

  1. Navigate to the section where your snapshots are stored.
  2. Locate the newly created snapshot in the list of available snapshots.
  3. Select the snapshot and click the Copy Snapshot option.
  4. In the encryption settings, choose New Encryption Key (this will require selecting a new Customer Managed Key (CMK)).
  5. Follow the prompts to copy the snapshot with the new encryption key. Click Next to continue.

P3

 

P4

Step 4: Navigate to the Newly Created Snapshot, Action to Restore

  1. Once the new snapshot is successfully created, navigate to the list of available snapshots.
  2. Locate the newly created snapshot.
  3. Select the snapshot and choose the Restore or Action → Restore option.

P5

 

Step 5: Fill in the Details as Old One

  1. When prompted to restore the snapshot, fill in the details using the same configuration as the old database. This includes:

Instance size, Database configurations, Networking details, Storage options

  1. Ensure all configurations match the old setup to maintain continuity.

Step 6: Create the Restored Database Output

  1. After filling in the necessary details, click Create to restore the snapshot to a new instance.
  2. Waiting for the process to be completed.
  3. Verify that the new database is restored successfully.

P6

 

Best Practices for RDS Encryption

  • Enable automated backups and validate snapshots.
  • Secure encryption keys and monitor storage costs.
  • Test restored databases before switching traffic.
  • Ensure security groups and CloudWatch monitoring are set up.
  • This ensures a secure and efficient RDS snapshot process.

 

Conclusion

Following these steps ensures a secure, efficient, and smooth process for taking, encrypting, and restoring RDS snapshots in AWS. Implementing best practices such as automated backups, encryption key management, and proactive monitoring can enhance data security and operational resilience. Proper planning and validation at each step will minimize risks and help maintain business continuity.

Tags

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Sanghapal Gadpayale

Sanghapal Gadpayale is a Lead Technical Consultant at Perficient, with over seven years of expertise in DevOps and AWS cloud infrastructure management. He holds global certifications in AWS Certified Solutions Architect - Associate, GCP Professional, and Scrum, showcasing his commitment to excellence and industry-recognized proficiency. Sanghapal is known for his fun-loving nature and creative problem-solving abilities, which he brings to his collaborative work with teams, striving to achieve exceptional outcomes and drive success in every project he undertakes.

More from this Author

Categories
Follow Us

Related Posts

Istock 2163867912
Windows Password Recovery with AWS SSM
Istock 1628553826
Migration of DNS Hosted Zones in AWS
Crowd Walking Over Binary Code
How To Create High Availability Kubernetes Cluster on AWS using KUBEONE: Part-2