AWS rolls out encryption options for Amazon RDS using MySQL, PostgreSQL and Oracle database instances

Posted on by

Amazon Web Services

Amazon Web Services took steps to make it easier for users to encrypt data at rest in Amazon Relational Database Service (RDS) database instances running MySQL, PostgreSQL and Oracle Database.

Earlier users to choose between RDS for Oracle Database which adopted AWS-managed keys for Oracle Enterprise Edition (EE) and RDS for SQL Server which used AWS-managed keys for SQL Server Enterprise Edition (EE).

Apart from these possibilities, AWS added RDS for MySQL which adopts customer-managed keys using AWS Key Management Service (KMS), RDS for PostgreSQL which uses customer-managed keys using AWS KMS, and RDS for Oracle Database which uses customer-managed keys for Oracle Enterprise Edition using AWS CloudHSM.

For all of the database engines and key management options, encryption (AES-256) and decryption are applied automatically and transparently to RDS storage and to database snapshots. Users need not make any changes to code or operating model in order to benefit from this important data protection feature.

Launched last year at AWS re:Invent, AWS KMS offers seamless, centralized control over encryption keys. It was designed to help implement key management at enterprise scale with facility to create and rotate keys, establish usage policies, and to perform audits on key usage.

AWS KMS is a managed service which helps create and control the encryption keys used to encrypt data, and adopts Hardware Security Modules (HSMs) to protect the security of keys. AWS Key Management Service is integrated with other AWS services including Amazon EBS, Amazon S3, Amazon RDS, Amazon Redshift, and Amazon Elastic Transcoder. AWS Key Management Service is also integrated with AWS CloudTrail to provide users with logs of all key usage to help meet regulatory and compliance needs.

Users can enable the feature and start to use customer-managed keys for RDS database instances running MySQL or PostgreSQL with a couple of clicks when creating a new database instance. Then, turn on enable encryption and choose the default (AWS-managed) key or create own using KMS and select it from the dropdown menu, and now start using customer-managed encryption for MySQL or PostgreSQL database instances.

CloudHSM is now integrated with Amazon RDS for Oracle Database. This allows users to maintain sole and exclusive control of the encryption keys in CloudHSM instances when encrypting RDS database instances using Oracle Transparent Data Encryption (TDE).

The AWS CloudHSM service helps meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, users can control the encryption keys and cryptographic operations performed by the HSM. The AWS CloudHSM service protects encryption keys within HSMs designed and validated to government standards for secure key management. Users can generate, store and manage the cryptographic keys used for data encryption. AWS CloudHSM helps to comply with key management requirements without losing application performance.

Read more:
AWS rolls out encryption options for Amazon RDS using MySQL, PostgreSQL and Oracle database instances

Related Posts
This entry was posted in $1$s. Bookmark the permalink.