Restore encrypted Snapshot

Dear Customer,

I Understand that you wish to encrypt the RDS Aurora MySQL Cluster and have queries.

I would like to share with you that, In order to encrypt the unencrypted cluster a new cluster with a new identifier will come up. You can later rename the cluster to have the same old cluster identifier and endpoints. Please be noted that before renaming the new cluster make sure to rename or deleted the old cluster.

I am indexing my response below for ease of reference.

1. I have an RDS aurora MySQL Multi-AZ with 1 reader and 1 writer, this cluster is unencrypted now I want to make it encrypted, please what are the steps to follow to encrypt the aurora Cluster? I saw I can use snapshot and encrypt it but the exact steps are not listed.

As correctly pointed out by you, you need to restore the snapshot of unencrypted cluster and while restoring the same you need to enable the encryption option.

The steps will be as follow in case you are doing it from RDS console 1- Create a snapshot of your DB Cluster [1] 2- Restore the above created unencrypted snapshot [2] and while restoring enable the encryption option and select the desired encryption key. 3 - Add the reader instance.

2. My cluster is created via CDK, If I want to update the cluster via CDK to add the encryption option, this will create a new cluster or update the existing one?

As mentioned above, the new cluster will come up when we change encryption of the cluster because to perform the same we need to use snapshot restore method which will create new cluster.

3. how can I restore (encrypted) data to the cluster once it's updated?

As you will be restoring the cluster from snapshot the existing data will be intact and encrypted automatically and new data which will come to the cluster will also be encrypted from that point onward.

4. I tried to create the snapshot at the cluster level, but there is no option to take the snapshot, the option to take a snapshot is only available at the reader Or the writer level. the Snapshot must be taken at the writer level? if yes, when I restore that Snapshot that will create the whole cluster (cluster + reader + writer) Multi-AZ

Yes, your understanding is correct, you need to take the snapshot of cluster at writer level. For More info check doc [1]. Further If you use the console to restore a DB cluster, then Amazon RDS automatically creates the primary instance (writer) for your DB cluster. If you use the AWS CLI to restore a DB cluster, you must explicitly create the primary instance for your DB cluster. The primary instance is the first instance that is created in a DB cluster. Call the create-db-instance AWS CLI command to create the primary instance for your DB cluster. Include the name of the DB cluster as the --db-cluster-identifier option value.

So the sequence of the command will be like (in case of AWS CLI)

• aws rds restore-db-cluster-from-snapshot --db-cluster-identifier mynewdbcluster --snapshot-identifier mydbclustersnapshot --engine aurora|aurora-mysql|aurora-postgresql [3]
• aws rds create-db-instance --db-instance-identifier <name> --db-cluster-identifier <cluster which you created from above command> --engine aurora-mysql --db-instance-class <Instance class> [4]

[1] - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_CreateSnapshotCluster.html [2] - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-restore-snapshot.html#aurora-restore-snapshot.Restoring [3] - https://docs.aws.amazon.com/cli/latest/reference/rds/restore-db-cluster-from-snapshot.html [4] - https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html