Classification:
compliance
Set up the rds integration.
Ensure that your AWS RDS database instances are encrypted.
Encrypting your AWS RDS clusters protects sensitive data from unauthorized access.
Follow the Enabling Amazon RDS encryption for a DB instance docs to ensure your database instances are encrypted.
Run describe-db-instances with an instance identifier query to list RDS database names.
describe-db-instances.sh
aws rds describe-db-instances
--query 'DBInstances[*].DBInstanceIdentifier'
Run create-db-snapshot with any returned database instance you wish to modify.
create-db-snapshot.sh
aws rds create-db-snapshot
--db-snapshot-identifier my-db-snapshot
--db-instance-identifier my-db-id
Run list-aliases to list KMS keys aliases by region.
list-aliases.sh
aws kms list-aliases
--region us-west-1
Run copy-db-snapshot with the kms-key-id returned in step 3.
copy-db-snapshot.sh
aws rds copy-db-snapshot
--region us-west-1
--source-db-snapshot-identifier original-db-snapshot-id
--target-db-snapshot-identifier encrypted-db-snapshot-id
--copy-tags
--kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456
Run restore-db-instance-from-db-snapshot to restore the previously created snapshot.
restore-db-instance.sh
aws rds restore-db-instance-from-db-snapshot
--region us-west-1
--db-instance-identifier encrypted-db-id
--db-snapshot-identifier encrypted-db-snapshot-id
Run describe-db-instances with a query to ensure database encryption.
describe-db-instances.sh
aws rds describe-db-instances
--region us-west-1
--db-instance-identifier encrypted-db-snapshot-id
--query 'DBInstances[*].StorageEncrypted'