Skip to main content


Encrypt Relational Database Service (RDS) database with customer managed Key Management Service (KMS) key


Best practices recommend encrypting AWS Relational Database Service (RDS) Databases with a customer managed KMS key.


  1. Log in to the AWS Management Console.
  2. Navigate to
  3. Click Create a key.
  4. Select Key type.
    • If Symmetric, expand Advanced options and select KMS.
    • If Asymmetric, under Key usage, select Encrypt and decrypt, and choose the Key spec.
  5. Complete the remaining configuration steps to add labels, and define key administrative permissions and key usage permissions.
  6. Click Finish.
  7. Navigate to
  8. In the left navigation panel, click Databases.
  9. Select the Database instance to encrypt.
  10. Click Actions button placed at the top right and select Take Snapshot.
  11. On the Take Snapshot page, enter a name for the snapshot in the Snapshot Name field and click Take Snapshot.
  12. Select the snapshot, select Actions and select Copy snapshot.
  13. On the Copy snapshot page, perform the following:
    • In the New DB Snapshot Identifier field, Enter a name for the new snapshot.
    • Check Copy Tags, New snapshot must have the same tags as the source snapshot.
    • Check Enable Encryption, and choose the KMS key you just created from the AWS KMS dropdown.
  14. Click Copy Snapshot to create an encrypted copy of the selected instance snapshot.
  15. Select the new Snapshot Encrypted Copy and click Action, select Restore Snapshot.
  16. On the Restore snapshot page, enter a unique name for the new database instance in the DB Instance Identifier field.
  17. Review the instance configuration details and click Restore DB Instance.
  18. After completion of the new instance provisioning process, you can update application configuration to refer to the endpoint of the new Encrypted database instance. After changing the database endpoint at the application level, you can remove the unencrypted instance.