When at-rest encryption is configured, your database instance, tables, and any snapshots or automated backups taken of that database will be encrypted using AES-256 (Advanced Encryption Standard) encryption. You should also note that you can only encrypt an RDS database during its creation, so be sure to understand your encryption requirements before creating your database.
Configuring at-rest encryption is enabled by a simple checkbox from the AWS Management Console:
- From the AWS Management Console, select RDS under the Database category:
- Select Create database:
- Scroll down to the Additional configuration section and expand the category by selecting it:
- From here, you can scroll down to the Encryption section:
From here, you can either select a customer-managed key or, as in the preceding example, you can select the AWS-managed key for the service, aws/rds. You should be aware that once you have selected your key, you cannot change it to a different key...