Interview › Databases & Caching
How do you encrypt an RDS instance at rest, and can you encrypt an existing unencrypted one?
Databases & Caching · Basic level
Answer
New RDS instances should be encrypted at creation with KMS. Existing unencrypted RDS storage cannot simply be encrypted in place; the normal method is snapshot, copy snapshot with encryption enabled, restore a new encrypted instance, validate, and cut over.
Technical explanation
Encryption covers storage and related backups/snapshots according to RDS and KMS behavior.
KMS key policy and cross-account or cross-Region permissions must be planned.
Because restore creates a new endpoint, cutover and rollback must be part of the migration plan.
Hands-on example
Encryption conversion example:
$ aws rds create-db-snapshot --db-instance-identifier legacy-orders --db-snapshot-identifier legacy-orders-pre-encryption
$ aws rds copy-db-snapshot --source-db-snapshot-identifier legacy-orders-pre-encryption --target-db-snapshot-identifier legacy-orders-encrypted --kms-key-id alias/rds-prod
$ aws rds restore-db-instance-from-db-snapshot --db-instance-identifier orders-encrypted --db-snapshot-identifier legacy-orders-encrypted
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Databases & Caching interview questions
- What is Amazon RDS, and what does it manage for you versus self-managed databases?
- What database engines does RDS support?
- What is the difference between RDS and Aurora?
- What is Multi-AZ in RDS, and how does automatic failover work?
- How long does an RDS Multi-AZ failover typically take, and what triggers it?
- What is the difference between Multi-AZ and a read replica?
- When would you use a read replica, and can it become a standalone database?
- Can a read replica be in a different region, and why would you do that?