Implementing Encryption at Rest for Amazon Aurora using CloudFormation

Data at Rest refers to data that is not moving. On the same lines, Encryption at Rest means protecting data that’s not moving through networks. Encryption is an important part of any data protection strategy. It plays a critical role to protect your sensitive data and meet your security requirements for regulatory compliance.

Amazon Aurora allows you to encrypt your databases using keys you manage through AWS Key Management Service (KMS). Encryption and decryption are handled seamlessly, so you don’t have to modify your applications to access your data.

An important thing to keep in mind is that the Encryption at Rest includes only the underlying storage for a DB instance, its automated backups, Read Replicas and snapshots. You will need to incorporate other end-to-end encryption techniques if you want to encrypt data inside your database.

Looking at the AWS Documentation available online, there are instructions available to implement Encryption at Rest four your RDS instance through the AWS Console —

Encryption at Rest AWSConsole
However I did not find any helpful guidance how to implement it using CloudFormation. In this article, I will share my experience implementing Encryption at Rest using AWS CloudFormation.

What is CloudFormation and why to use it?

CloudFormation is a tool that helps you to spin up AWS resources likes EC2 instances, S3 buckets, SQS, SNS, Database and more with minimal effort in no time.

You can create resources using the AWS Console, but it might be cumbersome and time taking. So for your development effort, if you want to automate the management of your AWS infrastructure across different environments,CloudFormation is your best bet.

Coding your infrastructure which can check into your source control gives you lot of flexibility and helps you to standardize your infrastructure across projects in your organization.

What are the changes required in the CloudFormation template?

Storage Encrypted –> Boolean
‘StorageEncrypted’ property needs to be enabled and mentioned under the Database Cluster resource.

KmsKeyId –> String
The ARN of the KMS key needs to be specified along with it.

“StorageEncrypted”: true,
“KmsKeyId”: { “Ref” : “EncryptionKeyArn”}

You can confirm that the encryption at rest is implemented by looking at the RDS Instance through the AWS Console –

Encryption Enabled

While working on this implementation, I also found a bug in the ‘StorageEncrypted‘ property. The AWS Documentation says that it’s a Boolean type. But it is not.
It cannot be set as ‘False’.

If you set the property to false in the CloudFormation template, the DatabaseCluster creation will fail stating —

To enable encryption at rest StorageEncrypted must be set to true’

So the way this works is either do not mention the property or set it to True.
I have reported this bug to the AWS Team and they will actionize based on the feedback.

How to manage Amazon RDS Encryption Keys?

You can manage keys used for Amazon RDS encrypted instances using the AWS Key Management Service (AWS KMS) in the IAM console.

AWS KMS is a service which enables you to create and use the encryption keys to protect your data.

What is the cost for implementing Encryption at Rest?

Encryption at rest is available at no additional cost in all Amazon regions. AWS KMS usage is billed at standard rates. There is no charge for the encryption; you will be charged for the calls that Aurora DB makes to AWS KMS.

What are the limitations for implementing Encryption at Rest?

You can only enable encryption for an Amazon RDS DB instance when you create it, not after the DB instance is created.

In my case, I had to delete the database stack and create it back again with encryption enabled. Using MySQL Workbench, I took a backup of the database schema and data before deleting the database stack. Once I confirmed that the Encryption at Rest was enabled, I restored the backup script and got the database to the initial state.

How to export your MySQL schema and data before dropping the database?

You can use the ‘Data Export‘ wizard in MySQLWorkbench to export the schema and data to a separate file in your local machine —

You can refer the below articles for additional information –

Encrypting Amazon RDS Instance
Are you implementing Encryption at Rest for your AWS Databases and facing any issues? Please add a comment below and I will be happy to assist.

Categories: Amazon Aurora, AWS

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: