aws-rds-encrypt

Python script to encrypt unencrypted AWS RDS instances.

Currently, AWS RDS instances are limited when it comes to enabling encryption for existing instances. One must create an encrypted snapshot copy of the active instance, restore a new instance with said snapshot then redirect the active unencrypted instance to the newly created encrypted instance. This process can be confusing and time consuming, so why not automate it? 😁

NOTE: This script relies on the RDS instance to be in the available state. Due to AWS limitations a snapshot copy cannot occur if the instance isn't available. It's reccomended to ensure no data is being written to the DB at the time of the snapshot as data loss will occur.

Prerequisites

• python3
• pip

Configuration

This script replies on two things to be configured prior to executing:

1. Having a local ~/.aws/credentials file with relevant access keys and profile names for different enviornmnets. This can be easily created using the AWS CLI and running aws configure.

2. Relevant environment variables are set:

export PROFILE_NAME="prod"                                                          # Profile name used to interact with RDS.
export RDS_KMS_ID="arn:aws:kms:us-east-1:123456:key/abcd-efgh-ijkl-mnop-qrstuvwxyz" # IAM encryption key used to encrypt RDS snapshots.

Install

pip3 install -r requirements.txt

Start

python3 src/main.py

Sample output should be similar to:

Instance: abc                 Encrypted: False
Instance: cde                 Encrypted: True
Instance: fgh                 Encrypted: False

Detected 2 unencrypted RDS instances!
Starting RDS encryption process...

Creating snapshot for: abc
Creating encrypted snapshot from unencrypted copy
...

License

This project is licensed under the MIT License - see the LICENSE file for details.

Contributors