How can I change the encryption key used by my Amazon RDS DB instances and DB snapshots?

2 minute read

I want to update the encryption key used by my Amazon Relational Database Service (Amazon RDS) DB instances and DB snapshots so that they use a new encryption key.


You can't change the encryption key used by an Amazon RDS DB instance. However, you can create a copy of the RDS DB instance, and then choose a new encryption key for that copy.

Note: Data in unlogged tables might not be restored using snapshots. For more information, review Best practices for working with PostgreSQL.

To create a copy of an RDS DB instance with a new encryption key, do the following:

  1. Open the Amazon RDS console.
  2. In the navigation pane, choose Databases.
  3. Choose the DB instance for which you want to create a manual snapshot.
  4. Create a manual snapshot for your DB instance.
  5. In the navigation pane, choose Snapshots.
  6. Select the manual snapshot that you created.
  7. Choose Actions, and then choose Copy Snapshot.
  8. Under Encryption, select Enable Encryption.
  9. For AWS KMS Key, choose the new encryption key that you want to use.
  10. Choose Copy snapshot.
  11. Restore the copied snapshot.

The new RDS DB instance uses your new encryption key.

Confirm that your new database has all necessary data and your application is using the new database. When you no longer need the old RDS DB instance, you can delete the instance.

Related information

Encrypting Amazon RDS resources

Backing up and restoring an Amazon RDS DB instance