01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names (identifiers), available in the selected AWS region:
aws rds describe-db-instances
--region us-east-1
--query 'DBInstances[*].DBInstanceIdentifier'
02 The command output should return each database instance identifier:
03 Run create-db-snapshot command (OSX/Linux/UNIX) to create a snapshot for the selected database instance. The following command example creates a snapshot named prod-mysql-db-snapshot from an RDS instance named prod-mysql-db:
aws rds create-db-snapshot
--region us-east-1
--db-snapshot-identifier prod-mysql-db-snapshot
--db-instance-identifier prod-mysql-db
04 The command output should return the new snapshot metadata:
{
"DBSnapshot": {
"Engine": "mysql",
"Status": "creating",
"AvailabilityZone": "us-east-1b",
"PercentProgress": 0,
"MasterUsername": "webappdb",
"Encrypted": false,
"LicenseModel": "general-public-license",
"StorageType": "gp2",
"VpcId": "vpc-f7ac5792",
"DBSnapshotIdentifier": "prod-mysql-db-snapshot",
"InstanceCreateTime": "2016-04-30T15:44:26.042Z",
"OptionGroupName": "default:mysql-5-6",
"AllocatedStorage": 5,
"EngineVersion": "5.6.27",
"SnapshotType": "manual",
"Port": 3306,
"DBInstanceIdentifier": "prod-mysql-db"
}
}
05 Now run list-aliases command (OSX/Linux/UNIX) to list the KMS keys aliases (names) available in specified region:
aws kms list-aliases
--region us-east-1
06 The command output should return each key alias currently available. For our RDS encryption activation process, locate the ID (highlighted) of the AWS default KMS key provided for database encryption (alias/aws/rds)
{
"Aliases": [
{
"AliasArn": "arn:aws:kms:us-east-1:123456789012:alias/aws/ebs",
"AliasName": "alias/aws/ebs",
"TargetKeyId": "d6c03026-b0bd-451e-a864-a68355f4f035"
},
{
"AliasArn": "arn:aws:kms:us-east-1:123456789012:alias/aws/rds",
"AliasName": "alias/aws/rds",
"TargetKeyId": "8d8d3ab9-db2a-428f-b82e-d38cb05ce1a4"
},
{
"AliasArn": "arn:aws:kms:us-east-1:123456789012:alias/aws/s3",
"AliasName": "alias/aws/s3"
}
]
}
07 Run copy-db-snapshot command (OSX/Linux/UNIX) using the default KMS key ID for RDS instances returned earlier to create an encrypted copy of the database instance snapshot:
aws rds copy-db-snapshot
--region us-east-1
--source-db-snapshot-identifier prod-mysql-db-snapshot
--target-db-snapshot-identifier prod-mysql-db-snapshot-encrypted
--copy-tags
--kms-key-id 8d8d4bg8-db2a-4268f-b52e-3dbab05ce9a5
08 The command output should return the encrypted instance snapshot (copy) metadata:
{
"DBSnapshot": {
"Engine": "mysql",
"Status": "creating",
"AvailabilityZone": "us-east-1b",
"SourceRegion": "us-east-1",
"PercentProgress": 0,
"MasterUsername": "webappdb",
"Encrypted": true,
"LicenseModel": "general-public-license",
"StorageType": "gp2",
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:
key/8d8d3ab9-db2a-428f-b82e-d38cb05ce1a4",
"VpcId": "vpc-f7ac5792",
"SourceDBSnapshotIdentifier": "arn:aws:rds:us-east-1:123456789012:
snapshot:prod-mysql-db-snapshot",
"DBSnapshotIdentifier": "prod-mysql-db-snapshot-encrypted",
"InstanceCreateTime": "2016-04-30T15:44:26.042Z",
"OptionGroupName": "default:mysql-5-6",
"AllocatedStorage": 5,
"EngineVersion": "5.6.27",
"SnapshotType": "manual",
"Port": 3306,
"DBInstanceIdentifier": "prod-mysql-db"
}
}
09 Run restore-db-instance-from-db-snapshot command (OSX/Linux/UNIX) to restore the encrypted snapshot created at the previous step to a new database instance:
aws rds restore-db-instance-from-db-snapshot
--region us-east-1
--db-instance-identifier prod-mysql-db-encrypted
--db-snapshot-identifier prod-mysql-db-snapshot-encrypted
10 If successful, the command output should return the new encrypted database instance metadata:
{
"DBInstance": {
"PubliclyAccessible": true,
"MasterUsername": "webappdb",
"MonitoringInterval": 0,
"LicenseModel": "general-public-license",
...
"DbiResourceId": "db-GPXVANNOGAXV5BMSEF2U2JEW5A",
"CACertificateIdentifier": "rds-ca-2015",
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:
key/8d8d3ab9-db2a-428f-b82e-d38cb05ce1a4",
"StorageEncrypted": true,
"DBInstanceClass": "db.m3.medium",
"DbInstancePort": 0,
"DBInstanceIdentifier": "prod-mysql-db-encrypted"
}
}
11 Run describe-db-instances command (OSX/Linux/UNIX) to make sure the new database instance is encrypted:
aws rds describe-db-instances
--region us-east-1
--db-instance-identifier prod-mysql-db-encrypted
--query 'DBInstances[*].StorageEncrypted'
12 The command output should return the encryption status (as the StorageEncrypted parameter value) for the selected instance (true for enabled, false for disabled):
13 Repeat steps no. 1 – 12 for each RDS instance provisioned in the current region. Change the AWS region by using the --region
filter to repeat the process for other regions.