← Back to Labs
Intermediate01:20:00

How to Encrypt an Unencrypted RDS DB Instance

Task 1Task 2Task 3Task 4Task 5Task 6Task 7Task 8Task 9
Task 1

Task 1: Sign in to AWS Management Console

↑ Top
  1. Click on the Open Console button, and you will get redirected to AWS Console in a new browser tab.
  2. On the AWS sign-in page, Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  3. On the AWS sign-in page,
  4. Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.
  5. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  6. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.
Task 2

Task 2: Create an RDS DB Instance (without enabling the Encryption)

↑ Top
  1. Navigate to the Services menu at the top left corner and click on RDS present under the Database section.
  2. Select the Database from the left panel.
  3. Click on Create Database and you are navigated to the page where you will provide all the required details to create a MySQL database.
  4. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  5. On the page, click on the option Standard create a method for our lab requirement.
  6. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  7. In the Engine options, select MySQL engine type.
  8. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  9. Edition: Leave it as default
  10. Under Templates, select the Dev/Test option. Availability option as Single-AZ DB instance deployment (1 Instance).
  11. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  12. Under Settings, provide the following details.
  13. DB cluster identifier: Enter test-db
  14. Master username: Enter master
  15. Credentials management: select Self managed
  16. Master password and Confirm master password: Enter lab123
  17. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  18. Under DB instance class, select Burstable classes (includes t classes) and select db.t3.micro
  19. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  20. Storage type : General Purpose (SSD)
  21. Allocated storage : 20
  22. Uncheck Enable storage autoscaling.
  23. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  24. Leave the Availability and durability as default.
  25. Under Connectivity, make sure that Public access is No. Leave everything else as default.
  26. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  27. Uncheck Enhanced Monitoring option.
  28. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  29. Expand the Additional configuration.
  30. Initial database name : Enter projectdb
  31. Leave DB parameter group and Option group as default.
  32. Uncheck Enable automatic backups.
  33. Uncheck Enable encryption option.
  34. Uncheck Deletion protection.
  35. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  36. Click on Create Database to create the database. This process does take time between 5-10 minutes.
  37. Once the database is created the status changes to Available.
  38. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  39. Click on the database and navigate to the Configuration tab. You can notice that the Encryption is not enabled, as we wanted it to be.
  40. Task 2: Create an RDS DB Instance (without enabling the Encryption)
  41. If we select the database and go to modify it, we will not find an option to Encrypt the database.
Task 3

Task 3: Take a snapshot from the existing DB Instance

↑ Top
  1. Select the created DB Instance and click on Actions.
  2. Click Take snapshot from the options.
  3. Task 3: Take a snapshot from the existing DB Instance
  4. Give a name to the snapshot, test-snapshot-01 and click on the Take snapshot button.
  5. Task 3: Take a snapshot from the existing DB Instance
  6. The snapshot creation takes 3-5 minutes. Refresh after some time, the snapshot creation status will be available.
  7. Task 3: Take a snapshot from the existing DB Instance
Task 4

Task 4: Make a copy of the snapshot and encrypt it

↑ Top
  1. It is not possible to encrypt the snapshot in this stage. We need to encrypt the snapshot while taking a copy of it.
  2. Under the Manual snapshots, select the created snapshot and click on Actions.
  3. Click Copy snapshot from the options.
  4. Task 4: Make a copy of the snapshot and encrypt it
  5. Under settings, provide the following details.
  6. New DB Snapshot Identifier: Enter test-snapshot-encrypted
  7. Destination Region: Select US East (N.Virginia)
  8. Under Encryption, check Enable Encryption. Leave the master key as default.(IMPORTANT)
  9. Task 4: Make a copy of the snapshot and encrypt it
  10. Click on the Copy snapshot button. The snapshot will be created within 3 - 5 minutes.
  11. Task 4: Make a copy of the snapshot and encrypt it
Task 5

Task 5: Restore DB Instance from the encrypted snapshot

↑ Top
  1. Click on the encrypted snapshot and click on Actions.
  2. Click on Restore snapshot from the options.
  3. Task 5: Restore DB Instance from the encrypted snapshot
  4. Under Availability and Durability select Single DB Instance zone
  5. Task 5: Restore DB Instance from the encrypted snapshot
  6. Settings, enter the name of DB Instance as test-db-encrypted.
  7. Make the other settings exactly as the original DB Instance.
  8. Under the DB instance class, select Burstable classes (including t classes) and select db.t3.micro
  9. Task 5: Restore DB Instance from the encrypted snapshot
  10. Under Encryption, you can see the Enable Encryption is enabled and cannot make changes since the snapshot is encrypted.
  11. Task 5: Restore DB Instance from the encrypted snapshot
  12. Leave DB parameter group and Option group as default.
  13. Click on Restore DB Instance button. The database creation takes around 5-10 minutes.
  14. Task 5: Restore DB Instance from the encrypted snapshot
Task 6

Task 6: Change the name of the original DB Instance

↑ Top
  1. We have to make sure that the Endpoint of the restored DB Instance should be the same as the original DB Instance.
  2. To do so, we have to change the names of the DB Instances as the names are unique.
  3. Select the original DB Instance and click on Modify.
  4. Task 6: Change the name of the original DB Instance
  5. Change the DB Instance Identifier to test-db-unencrypted.
  6. Task 6: Change the name of the original DB Instance
  7. Leave everything as default and click on Continue.
  8. Verify the new values of the DB Instance Identifier and the Endpoint.
  9. Under Scheduling of modifications, select Apply Immediately and click on Modify DB Instance button.
  10. Task 6: Change the name of the original DB Instance
  11. It might take some time to reboot the DB Instance. Press ctrl+R if you are not able to see the changes.
  12. Task 6: Change the name of the original DB Instance
Task 7

Task 7: Change the name of the Restored DB Instance to the original DB Instance name

↑ Top
  1. Select on the restored database and click on Modify.
  2. Task 7: Change the name of the Restored DB Instance to the original DB Instance name
  3. Change the DB Instance Identifier to test-db.
  4. Task 7: Change the name of the Restored DB Instance to the original DB Instance name
  5. Leave everything as default and click on Continue.
  6. Verify the new values of the DB Instance Identifier and the Endpoint.
  7. Under Scheduling of modifications, select Apply Immediately and click on Modify DB Instance button.
  8. Task 7: Change the name of the Restored DB Instance to the original DB Instance name
  9. It might take some time to reboot the DB Instance. Press ctrl+R if you are not able to see the changes.
  10. Task 7: Change the name of the Restored DB Instance to the original DB Instance name
  11. Once the database is modified, click and open test-db i.e, the encrypted DB Instance.
  12. Click on the database and navigate to the Configuration tab. You can notice that the Encryption is enabled.
  13. Task 7: Change the name of the Restored DB Instance to the original DB Instance name
Task 8

Task 8: Delete the unencrypted RDS DB Instance and snapshot

↑ Top
  1. Since we have the encrypted DB Instance, we shall delete the unencrypted DB Instance and the snapshot associated.
  2. Click on Databases present to the left of the screen.
  3. Select the Unencrypted DB Instance (i.e test-db-unencrypted) and click on Actions.
  4. Task 8: Delete the unencrypted RDS DB Instance and snapshot
  5. Click on the Delete option.
  6. Uncheck the Create final snapshot option.
  7. Check the Acknowledge box.
  8. Confirm the deletion by entering delete me and click on delete.
  9. Task 8: Delete the unencrypted RDS DB Instance and snapshot
  10. Click on the Snapshots on the left of your screen.
  11. Under Manual snapshots, select the unencrypted snapshot (i.e. test-snapshot-01) and click on Actions.
  12. Click on the Delete snapshot option.
  13. Task 8: Delete the unencrypted RDS DB Instance and snapshot
  14. Confirm by clicking on the Delete button.
  15. Task 8: Delete the unencrypted RDS DB Instance and snapshot
  16. In this way, you can encrypt an unencrypted RDS DB Instance.
  17. Wait till both resources are completely deleted. This step is to avoid confusion in the validation report.
  18. Database encryption is a critical component of a comprehensive security strategy. It helps protect data from unauthorized access, complies with regulatory requirements, mitigates the impact of data breaches, enhances cloud security, builds trust with customers, and mitigates insider threats.
Task 9

Task 9: Validation Test

↑ Top
  1. Once the lab steps are completed, please click on the Validation button on the right-side panel.
  2. This will validate the resources in the AWS account and displays whether you have completed this lab successfully or not.
  3. Sample output :
  4. Task 9: Validation Test
  5. Click on Databases present to the left of the screen.
  6. Select the DB Instance and click on Actions.
  7. Click on the Delete option.
  8. Task 9: Validation Test
  9. Uncheck the Create final snapshot option.
  10. Check the Acknowledge box.
  11. Confirm the deletion by entering delete me and click on delete.
  12. Task 9: Validation Test
  13. The status changes to Deleting and the DB Instance gets deleted.
  14. You can proceed to further steps even if it is in a deleting state.
  15. Click on the Snapshots on the left of your screen. Under Manual snapshots, select the unencrypted snapshot and click on Actions.
  16. Click on the Delete Snapshot option.
  17. Task 9: Validation Test
  18. Confirm by clicking on the Delete button.
  19. Task 9: Validation Test
  20. You have created an unencrypted Amazon RDS DB Instance.
  21. You have taken the snapshot of the DB Instance.
  22. You have made a copy of the snapshot and encrypted it.
  23. You have restored the DB Instance with the copied snapshot.
  24. You have changed the names of the original and restored DB instances.
  25. You have made sure that the Endpoint of the restored database is the same as the originally created DB Instance.
  26. You have deleted the Unencrypted DB Instance and snapshot.
  27. Sign out of AWS Management Console.
  28. You have successfully completed the lab.
  29. Once you have completed the steps, click on End Lab from your lab lab console and wait till the process gets completed.
← Back to Labs