Options for changing AWS KMS encryption key for Amazon RDS databases
Database Blog
This article outlines five methods for changing AWS KMS encryption keys on Amazon RDS and Aurora databases, comparing effort, downtime, and engine support for each approach.
- Snapshot and restore: Low effort, minutes-to-hours downtime, supports all RDS engines
- AWS DMS: Medium effort, seconds-to-minutes downtime, supports all RDS engines
- Native database replication: Medium-to-high effort, seconds-to-minutes downtime, MySQL/MariaDB/PostgreSQL only
- Aurora cluster clones: Medium-to-high effort, minutes downtime, Aurora MySQL/PostgreSQL only
- Aurora read replicas: Low-to-medium effort, seconds-to-minutes downtime, Aurora MySQL/PostgreSQL only
- Two KMS key types: AWS managed (default aws/rds) and customer managed keys
- Monitor with CloudWatch and CloudTrail; implement AWS Config rules for compliance
- Retain original instance until confident in migration success; consider data retention policies
Choose the method based on downtime tolerance, database size, technical expertise, and engine capabilities. Test thoroughly in non-production environments before production implementation.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Mar 12
2024
2024
Choose the right type of AWS KMS key to encrypt Amazon RDS and Aurora Global Database
Oct 22
2025
2025
Amazon RDS for SQL Server enables encrypting native backups using server-side encryption with AWS KMS keys (SSE-KMS)
Jul 29
2024
2024
Strengthening data security in AWS Step Functions with a customer-managed AWS KMS key
May 15
2024
2024
Encrypt your database connection using SSL encryption to Amazon RDS Custom for SQL Server
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.