Ensure that your RDS database instances are using KMS CMK customer-managed keys rather than AWS managed-keys (default keys used by RDS when there are no customer keys available), in order to have more granular control over your data-at-rest encryption/decryption process.
When you create and use your own KMS CMK customer-managed keys to protect RDS database instances, you gain full control over who can use the keys and access the data encrypted on these instances (including any automated backups, Read Replicas and snapshots created from the instances). The AWS KMS service allows you to create, rotate, disable, enable, and audit CMK encryption keys for RDS. Note: RDS encryption with AWS KMS customer-managed keys is not available for all database instance types. The instance types that are currently supporting encryption are: db.t2.large, db.m3.medium to db.m3.2xlarge, db.m4.large to db.m4.10xlarge, db.r3.large to db.r3.8xlarge and db.cr1.8xlarge.
To determine if your RDS database instances are encrypted with CMK customer-managed keys, perform the following:
Since RDS encryption is an immutable setting that must be turned on at the creation time, to migrate a database from unencrypted to encrypted, the database must be backed up and restored onto a new one with the encryption flag enabled. To use your own KMS CMK customer-managed key to encrypt an existing RDS instance, perform the following: