---
title: RDS instances should be encrypted with a customer-managed KMS key
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > RDS instances should be encrypted with
  a customer-managed KMS key
---

# RDS instances should be encrypted with a customer-managed KMS key
 
## Description{% #description %}

RDS instances should be encrypted using a customer-managed KMS key rather than the default AWS-managed key. Customer-managed keys provide full control over key rotation policies, access permissions via KMS key policies, and the ability to revoke or disable the key.

## Remediation{% #remediation %}

Create a new RDS instance with a customer-managed KMS key specified, or restore from an encrypted snapshot using a customer-managed key. Existing instances cannot have their encryption key changed in place. For guidance, refer to [Encrypting Amazon RDS resources](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html).