How to Configure Encryption for RDS
Protecting DB Instances
To enhance the security of Amazon RDS, you must ensure that encryption is configured for DB instances. Amazon describes DB instances as the basic building blocks of RDS – and if your building blocks aren’t properly protected, how can everything built on top of it be secured?
In this demo, our AWS expert will teach you how to create a DB instance and enable encryption, using the following steps.
Starting from the Amazon RDS console, navigate to Create Database, then configure the following areas:
- Creation Method
- Engine Options
- DB Instance Size
- Availability and Durability
- Additional Configuration
This final area, Additional Configuration, is where you’ll find an Encryption section, so that you can enable encryption, then set a Master Key.
For a visual guide on how to configure encryption for RDS DB instances, watch the full demo.
As we’ve discussed in other videos, the point at which you apply encryption solves different security problems and provides a different protection envelope for the encryption security control. So, within this technology stack, we would usually put RDS here as one of our databases, middleware tier. RDS is going to fit into that category. RDS is backed by EBS, Elastic Block Store, volumes. So, all of your data actually lives within an EBS volume. That is down here near or within hypervisor. This RDS encryption is actually being provided by the EBS service. The encryption service is actually happening down here within the hypervisor and the hypervisor’s interaction with the physical storage resources itself. The hypervisor is the one actually applying that encryption and then feeding that up to the MariaDB, the MySQL, to whatever the database is that you’re using within RDS. Again, encryption is happening down here within the technology stack diagram. As we’ve also discussed, there are different places where you might apply encryption – by your application, by, for instance, transparent data encryption within Microsoft SQL server, by the operating system, by the hypervisor, or even by the physical storage resources, themselves, with self-encrypting drives. Each of these provide a different encryption envelope, a different protection envelope, for the data while it remains at rest. As long as your risk assessment and your architects have come to the conclusion that RDS encryption is going to solve the security needs, by all means, turn it on within RDS.
Here we are in our RDS console. We’ll go ahead and create a new database instance and show some other things here. Let’s go with a MariaDB instance because we like MySQL and it’s nice and easy, and MariaDB is a great version of that product. Then, the next thing to demonstrate is that if you are doing this and testing with a free tier to try to see how encryption works for you, you won’t find that setting. I’ll demonstrate that here as we scroll down. We’ll select “Free Tier.” Now, the encryption settings for RDS are kept not under “Storage,” where it might actually make sense, but here under the “Additional Configuration” section. Sure enough, if we scroll through this, we have “Backup,” “Monitoring,” “Log Exports,” “Maintenance,” “Deletion Protection” - no “Encryption.” Free tier does not support encryption capabilities. You have to, at least, be in the “Dev/Test” tier. We’ll go ahead and go to “Production” and we’ll demonstrate the same thing here. Come down to our additional settings, “Additional Configuration” and, sure enough, if we scroll through that, we see that we do have encryption settings here. Enable that and then we’ll select our key. In this case, this selection is probably fine in many environments. We’re going to create an AWS managed key that is specific to our use of RDS. This key is the key that will actually protect the encryption key that is attached to the volume itself. A volume key is the one that actually encrypts the data and then the volume key, itself, is protected with the key that we select here. All of our other settings, we’d need to go through and finish setting this up, but that is how you enable encryption on an RDS volume.