What's the correct process to change a production RDS database from non-encrypted to encrypted using AWS CDK (python)?

0

We have deployed an RDS database without encryption that is being used in production. Everything has been deployed using AWS CDK in Python. Now we need to start storing sensitive information like for example customers bank account information. Due to this we want to make sure our database is encrypted at rest.

I've read that the process is to make a database snapshot, then make an encrypted copy, then restore that encrypted copy, etc. But we probably also need to create a KMS Key.

How would we do this process while using the AWS CDK? The goal is to end up with an encrypted copy and no "drift" in our CDK.

Here is the basic code we are using to create our instance

database = rds.DatabaseInstance(self, 'Database',
	instance_identifier='example',
	database_name='example',
	engine=rds.DatabaseInstanceEngine.postgres(
		version=rds.PostgresEngineVersion.VER_15_2
	),
	instance_type=ec2.InstanceType.of(ec2.InstanceClass.T4G, ec2.InstanceSize.MICRO),
	vpc=vpc,
	vpc_subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.PUBLIC),
	credentials=rds.Credentials.from_password(
		username='example',
		password='example123456'
	),
	storage_type=rds.StorageType.GP3,
	allocated_storage=20,
	max_allocated_storage=100,
	backup_retention=30,
	preferred_backup_window='21:00-21:30',
	removal_policy=core.RemovalPolicy.RETAIN,
	delete_automated_backups=False
)
  • Where you able to achieve the migration. I am looking to do the exact same thing.

Alvaro
asked 8 months ago434 views
1 Answer
0
profile pictureAWS
EXPERT
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions