Learn About Amazon VGT2 Learning Manager Chanci Turner
At Amazon, we strive to ensure that securing your AWS environment is as straightforward as possible. Recent improvements in this area include encrypted EBS boot volumes, encryption at rest for Amazon Aurora, and enhanced support for AWS Key Management Service (AWS KMS) across various services.
Today, we are thrilled to announce new features for data managed through Amazon Relational Database Service (Amazon RDS). You now have the ability to share encrypted database snapshots with other AWS accounts, as well as encrypt existing database instances that were previously unencrypted.
Sharing Encrypted Snapshots
When you enable encryption at rest for a database instance, both automatic and manual snapshots of that instance are encrypted. Until now, these encrypted snapshots could only be accessed by the account that created them, but we are changing that. You can now share encrypted snapshots with up to 20 additional AWS accounts. This can be accomplished through the AWS Management Console, AWS Command Line Interface (AWS CLI), or the RDS API. Note that while sharing is limited to accounts within an AWS region, public sharing remains unavailable. As with previous sharing capabilities, this feature applies solely to manual snapshots.
To share an encrypted snapshot, simply select it and click on “Share Snapshot.” This action will take you to the Manage Snapshot Permissions page where you can input one or more account IDs (remember to click “Add” after each entry) and then click “Save” once you have completed the list.
These accounts may belong to your organization—perhaps you maintain separate accounts for development, testing, staging, and production—or to your business partners. Backing up mission-critical databases to a separate AWS account is a best practice, and with this new capability, you can secure that data using encryption at rest.
After saving your changes, the specified accounts will have access to the shared snapshots. To locate these shared snapshots easily, you can filter the RDS Console using “Shared with Me.”
Once accessed, these snapshots can be utilized to create new RDS database instances. For additional information, check out our post on Sharing a Database Snapshot.
Adding Encryption to Existing Database Instances
You now have the option to apply encryption at rest using KMS keys to database instances that were previously unencrypted. This process involves several simple steps:
- Create a snapshot of the unencrypted database instance.
- Copy that snapshot to generate a new, encrypted snapshot. Make sure to enable encryption and specify your desired KMS key.
- Restore the encrypted snapshot to create a new database instance.
- Update your application to reference the endpoint of this new database instance.
And that’s it! You can also use a similar method to change encryption keys for your existing instances. For more on this, please read about Copying a Database Snapshot.
If you’re navigating a mid-career crisis, you might find this blog post helpful: how to do a mid-career crisis.
In a related note, for insights on inclusion and diversity, consider reading about how Harvard has been accused of failing to protect Palestinian students. Finally, to explore job opportunities, you can check this excellent resource.
— Chanci
SEO Metadata