1

We have a PostgreSQL database hosted on AWS RDS. When it was created using cloudformation I set it to be encrypted, but didn't set the encryption key. As such it was set up to use the default encryption key.

I've since been told that there is a company standard that all RDS instances should have their own keys.

I've created the new key using cloudformation and associated it with the RDS instance, but when I deploy this template it wants to delete and recreate the database.

I'm not that familiar with how all this works and I'm after a procedure that doesn't result in us losing data. A bit of downtime won't hurt us if that is required.

Martin Brown
  • 434
  • 8
  • 25

1 Answers1

4

With RDS this is easy. You will have some downtime that depends on the amount of data. For a small instance an hour, for a large instance set aside a day. The good part is that after your create the snapshot you can test independently without affecting your instance.

Everything is performed in the AWS RDS Console.

1) Create a snapshot of your RDS instance.

2) Copy the snapshot selecting a new master key.

3) Restore the instance or create a new instance from the snapshot.

Note: For items like this that modify data, I prefer to just create a new RDS instance. Verify everything and then shutdown the old instance.

John Hanley
  • 4,287
  • 1
  • 9
  • 20
  • 1
    Works! Thanks!. More info: https://aws.amazon.com/es/premiumsupport/knowledge-center/update-encryption-key-rds/ – ambigus9 Nov 18 '20 at 15:16