Implementing a fall forward strategy from Amazon RDS for SQL Server Transparent Data Encryption (TDE) and Non-TDE Enabled databases to self-managed SQL Server
Database Blog
This article discusses how to implement a "fall forward" rollback strategy for migrating databases from Amazon RDS for SQL Server to a self-managed SQL Server instance. A fall forward approach replicates data from the migrated database to a third environment without impacting the source, allowing rollback if needed.
Specifically, the article covers:
- Overview of the fall forward rollback strategy
- Solution architecture diagram
- Prerequisites (RDS SQL Server instance, EC2 instance with SQL Server, AWS CLI, Python, etc.)
- Step-by-step guide for setting up the fall forward strategy:
- Creating S3 buckets for backups/logs and certificates
- Creating an IAM role and policy for S3 access
- Creating a KMS key for encryption
- Backing up and restoring TDE certificates (for encrypted databases)
- Backing up databases and transaction logs from RDS to S3
- Decrypting logs using a Python script and applying to self-managed SQL Server
- Cleanup steps to remove resources
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Oct 22
2025
2025
Amazon RDS for SQL Server enables encrypting native backups using server-side encryption with AWS KMS keys (SSE-KMS)
Jan 24
2024
2024
Back up and restore transparent data encrypted databases across accounts in Amazon RDS for SQL Server
May 15
2024
2024
Encrypt your database connection using SSL encryption to Amazon RDS Custom for SQL Server
Jun 10
2025
2025
Cross-account migration of Amazon RDS for SQL Server with column-level encryption
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.