Cloudformation - AWS::RDS::DBInstance.Properties.StorageEncrypted behavior change


Until a couple of weeks ago CF was able to successfully create an RDS passing an empty string to AWS::RDS::DBInstance.Properties.StorageEncrypted, e.g:

    "Instance": {
      "Type": "AWS::RDS::DBInstance",
      "DeletionPolicy": "Snapshot",
      "Properties": {
        "StorageEncrypted": "",


It seems that this behavior was changed and now we explicitly need to pass true/false.

Can anyone confirm that the behavior actually changed?

This is causing a lot of pain for us because on every deployment we apply the respective CF template. For all the DBs we have created with StorageEncrypted: "" CF now fails with the error Properties validation failed for resource Instance with message: #/StorageEncrypted: expected type: Boolean, found: String

If we replace StorageEncrypted: "" by StorageEncrypted: false it will recreate the DB instance - which obviously we don't want to happen.

asked 3 months ago35 views
1 Answer

Have you tried removing StorageEncrypted: "" entirely? The default is "false" and if you're lucky this won't trigger a stack update. Worth a try I think.

The best solution though, when you've got time, is to convert your DB to encrypted for best practice. The process is in summary:

  • snapshot the DB, encrypt the snapshot, then restore (and if you can’t tolerate an outage that long, you’ll need a more complex process involving DMS)
  • resolve stack drift by updating the stack with “DeletionPolicy: Retain” on the DBInstance, then updating the stack with the DBInstance removed, then importing the DBInstance into the stack with “StorageEncrypted: true”.
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions