Compliance

Encrypt AWS databases at rest

One capability across RDS, Aurora, DocumentDB, Neptune, Redshift, DynamoDB, ElastiCache and OpenSearch: make sure the data on disk, and in every snapshot it produces, is encrypted with a KMS key rather than stored in the clear.

14 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: DocumentDB.1 DynamoDB.3 ElastiCache.4 Neptune.1 Neptune.6 Opensearch.1 Opensearch.3 RDS.3 RDS.4 Redshift.10

Encrypting databases at rest: the basics

Why every managed database engine has its own version of the same finding

Every managed database on AWS stores its data on disk, and "at rest" encryption scrambles those bytes with an AWS KMS key so a stolen snapshot, a mis-shared backup or a compromised volume reveals ciphertext instead of customer records. Each engine expresses the same property in its own shape: RDS.3 and RDS.4 cover RDS instances and their snapshots, DocumentDB.1 covers DocumentDB clusters, Neptune.1 and Neptune.6 cover Neptune clusters and snapshots, Redshift.10 covers Redshift clusters, DynamoDB.3 covers DynamoDB tables that should use a customer-managed key, ElastiCache.4 covers replication-group storage, and Opensearch.1 and Opensearch.3 cover OpenSearch domain storage and node-to-node traffic. Different APIs, identical risk: a data store readable on disk.

AWS Security Hub turns each engine into its own control, so a single estate can fail ten or more at-rest encryption checks at once. They look like separate problems on the report, but they are one capability: prove that the bytes on disk for every database, and every snapshot derived from it, are encrypted under a key you can govern. The bytes themselves are protected with AES-256; the value is in the KMS key boundary, which lets you authorise, log and revoke access to the data without touching the database itself.

The trait that makes this capability sharp is that, for most of these engines, encryption is chosen at creation and cannot be toggled on afterwards. RDS, DocumentDB, Neptune and OpenSearch all bind encryption to the storage allocation, so there is no modify flag to flip. The supported path is to snapshot, copy the snapshot with a KMS key (the copy is where encryption is applied), restore a new encrypted cluster and cut over. Redshift is the exception that proves the rule: modify-cluster runs a background migration. Either way, the cost of fixing it only grows as the database accumulates data, which is the whole argument for catching it early.

In this lesson you will learn how AWS expresses encryption at rest across its database engines, why most of them make encryption immutable at creation time, the snapshot-copy-restore migration that is the only supported fix for the immutable engines (and the in-place migration that Redshift offers instead), and how to stop new unencrypted databases from ever appearing. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The setting you can never change your mind on

For most AWS database engines, at-rest encryption is one of the very few settings that is genuinely immutable for the life of the resource. You choose it at create time and that is it: there is no modify-db-instance flag for RDS storage encryption, no in-place enable for DocumentDB or Neptune, and no way to encrypt an existing OpenSearch domain. The architectural reason is that encryption is applied at the storage layer beneath the engine, so flipping it would mean rewriting every block in place, which the services simply do not offer. The only way across the boundary is to snapshot, copy the snapshot with the KMS key you want, and restore a brand-new resource from the encrypted copy. Redshift is the notable exception, where modify-cluster runs a background migration for you, but it is still a migration, not a toggle.

Finding unencrypted databases across an estate

Priya is the platform lead at a scale-up preparing for its first SOC 2 audit. Security Hub shows at-rest encryption failures spread across RDS, Redshift and OpenSearch in three accounts that pre-date the team's current encryption standard.

Rather than work the findings engine by engine, she starts by listing what is actually unencrypted across the database fleet, so she can separate the regulated-data stores that need migrating first from the throwaway ones that can simply be deleted.

Start with RDS, the most common and highest-impact failure. The StorageEncrypted field is exactly what RDS.3 evaluates.

$ aws rds describe-db-instances --query 'DBInstances[?StorageEncrypted==`false`].[DBInstanceIdentifier,Engine]' --output table

-------------------------------------------

| prod-orders-db | postgres |

| prod-billing-db | mysql |

| analytics-staging | postgres |

-------------------------------------------

# Two production databases hold regulated data. They migrate first.

Inventory first: prioritise the regulated-data stores, not the order the report lists them.

How AWS encrypts database storagedeep dive

Across these engines, encryption at rest is an AES-256 envelope scheme keyed by KMS, applied at the storage layer beneath the database. A per-resource data key encrypts the data blocks, and that data key is itself wrapped by a KMS key, either the AWS-managed key for the service (such as aws/rds or aws/es) or a customer-managed key you specify. Only the bottom keys ever touch the data; the upper tiers exist so that key rotation and access revocation happen without re-encrypting terabytes of blocks. Revoke access to the KMS key and the whole chain becomes unusable, which is the access-management property the controls are really about.

Snapshots inherit the encryption state of their source. An unencrypted RDS, Redshift or Neptune instance produces unencrypted snapshots, and those snapshots can be copied cross-region or shared cross-account, so plaintext copies propagate far from the original and persist long after the source is gone. Encrypting the source going forward does not retroactively encrypt snapshots already taken, which is why RDS.4, Neptune.6 and the snapshot-sharing controls are tracked separately: you have to find and re-encrypt or delete the legacy snapshots as their own step.

Security Hub evaluates these through AWS Config rules such as rds-storage-encrypted, redshift-cluster-kms-enabled and elasticsearch-encrypted-at-rest. Some are change-triggered (they clear shortly after a fixed resource registers) and some are periodic (they clear on the next scheduled evaluation, not instantly), which matters when you are gathering audit evidence against a deadline. Two engines deserve a note: DynamoDB is always encrypted, so DynamoDB.3 specifically wants a customer-managed key rather than the default; and Opensearch.3 covers node-to-node encryption, the in-cluster traffic between data nodes, which is distinct from on-disk storage but lives in the same hardening pass.

What is the impact of leaving a database unencrypted?

The direct impact is data exposure. An unencrypted database stores customer records, credentials, financial data and PII as plaintext on the underlying disks and in every backup and snapshot it produces. If any of those artefacts leaks (a snapshot shared to the wrong account, a backup copied to an unsecured bucket, a storage-layer compromise) the data is immediately readable. Encryption at rest is the control that turns that worst case from a reportable breach into a non-event, because the leaked copy is ciphertext without the KMS key.

The compliance impact is where these controls earn their weight. Encryption of data at rest is an explicit requirement in PCI DSS, a near-universal expectation in SOC 2 reports, and a control under HIPAA, ISO 27001 and most NIST-based regimes (SC-13 and SC-28). A single unencrypted production database holding regulated data is the kind of finding an auditor circles, that delays a certification, or that has to be disclosed in a vendor security questionnaire. The Medium severity that Security Hub assigns most of these controls understates the regulatory consequence.

The structural impact is the immutability constraint itself. Because most engines cannot toggle encryption on later, every unencrypted database is a standing liability that grows more painful to fix as it accumulates data and dependencies. A 20 GB database is a quick migration; a 4 TB cluster with tight uptime is a planned project. The cost of inaction is not a monthly dollar figure: it is the compounding difficulty of the eventual, unavoidable migration, plus every unencrypted snapshot that piles up in the meantime.

How do you encrypt the database estate safely?

Work the capability as one loop rather than chasing individual engine findings. The order matters: inventory and prioritise by data sensitivity, migrate the immutable engines via snapshot-copy-restore (or in place for Redshift), clean up legacy unencrypted snapshots, then enforce encryption by default so the gap cannot reopen.

1. Inventory every database and prioritise by data sensitivity

List every RDS, Aurora, DocumentDB, Neptune, Redshift, DynamoDB, ElastiCache and OpenSearch resource with its encryption flag, engine, size and the classification of what it holds. Do not treat all findings equally: an unencrypted throwaway dev database may simply be deleted, while a production database with customer records is the urgent one. Sort by data sensitivity and uptime sensitivity so the migration effort goes where the exposure actually is.

2. Migrate the immutable engines: snapshot, copy with a KMS key, restore

For RDS, DocumentDB, Neptune and OpenSearch there is no in-place toggle. Take a snapshot of the source (it is unencrypted), copy the snapshot passing a KMS key (the copy is where encryption is applied), then restore a new resource from the encrypted copy. Reapply the original parameter group, security groups and subnet group. For large databases, do the bulk restore ahead of time and schedule a short maintenance window for the final delta and the endpoint cutover. Only delete the old unencrypted resource after verifying the new one is healthy.

3. Use the in-place path where the engine offers one

Redshift is the exception: modify-cluster with --encrypted runs a background migration that provisions a new encrypted cluster and copies data across while the original stays readable, so plan it in a low-traffic window because write throughput dips. DynamoDB is always encrypted, so DynamoDB.3 is satisfied by updating the table to a customer-managed key, no migration needed. ElastiCache and the node-to-node OpenSearch control are configuration changes rather than data migrations. Match the path to the engine.

4. Clean up legacy snapshots and enforce encryption by default

Encrypting a cluster does not encrypt snapshots taken before the change, so find and delete or re-encrypt the legacy unencrypted snapshots before they are shared or copied. Then prevent recurrence: enable encryption-by-default where the engine supports it, and back it with a Service Control Policy or AWS Config rules (such as rds-storage-encrypted) that flag or deny creation of an unencrypted database. That converts these controls from a recurring cleanup chore into a one-time migration followed by a prevention guardrail.

# 1. Find unencrypted databases across engines (sample: RDS, Redshift, OpenSearch).
aws rds describe-db-instances \
  --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' --output text
aws redshift describe-clusters \
  --query 'Clusters[?Encrypted==`false`].ClusterIdentifier' --output text

# 2. Immutable engine (RDS): snapshot, copy WITH a KMS key, restore the new instance.
SRC=prod-orders-db; KEY=alias/db-encryption
aws rds create-db-snapshot --db-instance-identifier $SRC --db-snapshot-identifier ${SRC}-snap
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap
aws rds copy-db-snapshot \
  --source-db-snapshot-identifier ${SRC}-snap \
  --target-db-snapshot-identifier ${SRC}-snap-enc \
  --kms-key-id $KEY
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap-enc
aws rds restore-db-instance-from-db-snapshot \
  --db-instance-identifier ${SRC}-enc --db-snapshot-identifier ${SRC}-snap-enc

# 3. In-place engine (Redshift): background migration, run in a maintenance window.
aws redshift modify-cluster --cluster-identifier analytics-prod \
  --encrypted --kms-key-id $KEY

# 4. Prevent recurrence: enforce encryption by default for new EBS-backed engines.
aws ec2 enable-ebs-encryption-by-default

Quick quiz

Question 1 of 5

Security Hub shows at-rest encryption failures across RDS, DocumentDB, Neptune and OpenSearch. What is the most efficient way to think about them?

Keep learning

Go deeper on how at-rest encryption works across the database engines in this capability.

You can now treat database encryption at rest as one capability rather than a scatter of engine-specific findings: inventory every store, prioritise the regulated-data ones, migrate the immutable engines via snapshot-copy-restore (or modify in place for Redshift and DynamoDB), clean up legacy unencrypted snapshots, and enforce a default so the gap cannot reopen. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Encrypting databases at rest: the cost and risk view

A near-free capability whose only real cost is the migration if you leave it too late

Encryption at rest is one of the rare controls where the AWS spend is essentially zero. AES-256 is free, encrypted snapshots cost the same per GB as unencrypted ones, and the only recurring charge is a customer-managed KMS key at roughly a dollar a month. There is no savings line to chase here, which is precisely why it gets deprioritised and precisely why it should not be: the relevant ledger is risk, not cost.

The genuine cost lives in the migration, and it is front-loaded by immutability. Because most engines cannot be encrypted in place, every unencrypted database is a latent migration project whose size scales with the data it holds. A small database is a few engineering hours; a multi-terabyte production cluster with tight uptime is a planned, change-managed cutover. The lever finance controls is timing: the earlier the migration, the cheaper it is, and there is no scenario where waiting makes it cheaper.

Frame each failing control as a line on the risk register, ordered by data sensitivity rather than by control count. An unencrypted production database holding regulated records carries a far higher expected loss than an unencrypted throwaway dev cluster, yet both show up as one red finding. The metric worth tracking is the count of unencrypted databases that hold regulated or sensitive data, trending to zero, each with a named owner and a committed date.

This lesson is for the finance partner who sees a cluster of database encryption findings on the security report and wants to know what the right response is and what it costs. It covers why the encryption itself is essentially free, why the real expense is a one-time migration that gets pricier the longer it is deferred, how to prioritise by data sensitivity rather than control count, and the guardrail that converts a recurring cleanup into a one-time fix.

Fun fact

The setting you can never change your mind on

How a finance partner frames a wall of unencrypted-database findings

Priya is the finance partner on the SOC 2 programme. Security Hub returns at-rest encryption failures across RDS, Redshift and OpenSearch in three older accounts. There is no savings line to chase here, because the encryption itself is essentially free, so her first move is to reframe the work as liability discharge rather than cost reduction and to ask which of the failing stores actually hold regulated data.

The team pulls the list with engine, size and data classification. Two production RDS databases hold orders and billing records, the OpenSearch domain indexes customer tickets, and a staging Postgres instance is a throwaway that can simply be deleted. Priya separates the regulated subset from the noise, then makes the timing argument that finance is uniquely placed to make: because most engines cannot be encrypted in place, every unencrypted database is a latent migration whose cost only grows as it accumulates data, so the cheapest possible moment to migrate is now. Her output for the finance pack is one line: three regulated stores migrate this quarter on a committed timeline, the staging instance is deleted, and an encryption-by-default standard ships alongside so the same migration is never funded twice.

Why database encryption belongs on the risk register

The cost model here is asymmetric in a way that is rare for security work. Encryption costs essentially nothing in AWS spend, while leaving a database unencrypted creates an unbounded tail risk: a future leak of a store holding regulated data carries notification, forensics, legal and reputational costs that run into six and seven figures. There is no savings column to populate, so do not manufacture one; the right framing is liability discharge, not cost reduction.

Because the fix is a migration that grows more expensive with delay, this is one of the clearest fix-now cases on the whole compliance backlog. The finance role is to attach data sensitivity to each failing database, fund the migrations for the regulated subset on a committed timeline, and insist that an encryption-by-default standard ships alongside so the same migration is not funded again next quarter. Track the regulated-data count, not the raw total.

What finance can actually do about this

Finance cannot run a database migration, but it can make sure the right databases get migrated on a committed timeline and that the gap does not reopen. Three levers, used at the monthly risk-and-cost review.

1. Track the regulated-data subset, not the raw count

Ask for the count of unencrypted databases that hold regulated or sensitive data, separately from the total. The total is noise; the regulated subset carries the audit and breach risk and is the number that has to trend to zero. Put it on the risk pack as a standing line so it cannot quietly grow back.

2. Require an owner and a committed date per regulated database

Because the fix costs nothing to run, these migrations get perpetually deprioritised in favour of work that saves money. The counter is governance: every unencrypted regulated database gets a named owner and a committed migration date, reviewed monthly. The engineering cost grows the longer the database keeps accumulating data, so earlier is cheaper.

3. Make encryption-by-default a condition of closing the item

Insist that the account-level default and the preventive Config rule or SCP are switched on as part of closing this work. Without the guardrail, every migration you fund is undone by the next database someone creates the old way. Treat the guardrail as the deliverable that makes the spend a one-time cost rather than a recurring one.

Quick quiz

Question 1 of 5

Why is encryption at rest described as a control with no savings line to chase, where the relevant ledger is risk rather than cost?

Keep learning

Go deeper on how at-rest encryption works across the database engines in this capability.

You have finished the finance view of database encryption at rest. You know the AWS spend is effectively zero (free AES-256, same per-GB snapshot cost, a roughly one-dollar-a-month KMS key), that the only real expense is a migration that gets pricier the longer it is deferred, and that the right levers are tracking the regulated-data subset, using timing to your advantage, and making encryption-by-default the condition of closing the work. Next time these findings land, you will fund the regulated migrations now and ship the guardrail so they are never funded twice.

Back to the library

Encrypting databases at rest: the headline

Whether a leaked database backup would be readable customer data or useless ciphertext

Databases are where the most concentrated, most sensitive data in the estate ends up: customer records, financial history, analytics. This capability answers one binary question per database: if a backup of it leaked tomorrow, would it be readable? For an unencrypted store the answer is yes, and the report shows the gap as a scatter of separate findings across many engines.

The fix is effectively free in AWS terms, with one catch that matters at the leadership level: for most engines it cannot be retrofitted in place, so each unencrypted database needs an owned, dated migration rather than a config change. That makes the trend and shape of the list more important than the count: a short, shrinking list with regulated databases actively migrating and a default that prevents new ones is a healthy posture.

This is a governance decision, not a budget one. The defensible end state is that no database holding regulated or customer data is unencrypted, every exception has an owner and a date, and an account-level default plus a preventive guardrail stops a new database from reintroducing the gap.

A short read for the leader who needs to know what an unencrypted database exposes, why closing it is a governance decision rather than a budget one, and what a defensible end state looks like across the estate: regulated data encrypted by default, every exception owned and dated, and a guardrail that stops the gap regrowing.

Fun fact

The setting you can never change your mind on

What it looks like when encryption at rest is a standard, not a backlog item

After a vendor security questionnaire stalled a six-figure deal on a single line (was the customer database encrypted at rest), the CEO asked the CTO a blunt question: if a backup of any of our databases leaked tomorrow, would it be readable? The honest answer was that several older databases would be, because there had never been a stated standard and nobody owned the gap.

The response was to set encryption at rest as a non-negotiable standard for any database holding regulated or customer data, and to treat the existing findings as policy violations with owners and dates rather than backlog tickets. Each regulated database got a named owner and a committed migration date, the legacy unencrypted snapshots were cleaned up, and an account default plus a preventive guardrail was switched on so a new unencrypted database could not be created. A quarter later the questionnaire answer was a clean yes, and the more important answer (could this gap reopen) was no, because the platform itself now blocks it.

Why this is a board-level risk

Nearly every major breach involving stored data came back to the same root cause: a data store that could be read without a key the organisation controlled. Encrypting databases at rest makes that root cause structurally difficult, and an account default plus a preventive guardrail makes it close to impossible to reintroduce. The cost of getting it wrong is large and well documented; the cost of getting it right is engineering time plus a small KMS fee.

The leadership question is not did we fix that one cluster, but why was an unencrypted database creatable at all. A short, shrinking list with regulated databases owned and dated signals a healthy posture; a long or growing one signals that databases are being created without an encryption standard and the org carries unquantified audit risk.

The leadership move on this category

The handle for an executive is not to fund a number down, but to set the standard and the guardrail that make unencrypted databases a closed question.

1. Set encryption at rest as a non-negotiable standard

State plainly that no database holding regulated or customer data runs unencrypted. That single standard reframes the existing findings from a backlog item to a policy violation with an owner and a date, which is what gets migrations scheduled rather than deferred.

2. Require an owner and a date on every exception

For any database not yet encrypted, ask for the person accountable and the date it will be done. Most encryption gaps persist because the fix is free to defer and nobody owns the deadline. Naming both closes that gap without any technical involvement.

3. Insist on the prevention guardrail as the real deliverable

Ask whether a new database can still be created unencrypted. If yes, the cleanup is temporary. The durable outcome is an account default and a preventive rule so the controls stay green on their own: that is the one-line confidence signal to ask for at the review.

Quick quiz

Question 1 of 5

What is the single binary question this capability answers per database at the leadership level?

Keep learning

Go deeper on how at-rest encryption works across the database engines in this capability.

Two takeaways: an unencrypted database answers yes to the question would a leaked backup be readable, and the right metric is not the count but the shape (a short, shrinking list with regulated databases owned, dated and actively migrating, and a default that blocks new ones). The fix is near-free; the durable outcome is an account default plus a preventive guardrail so the gap cannot reopen on its own.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

Neptune

Opensearch

RDS

Redshift

Redshift.10 Medium Redshift clusters should be encrypted at rest

Part of the learning path Encrypt everything

Encrypt AWS databases at rest

Encrypting databases at rest: the basics

The setting you can never change your mind on

Finding unencrypted databases across an estate

How AWS encrypts database storagedeep dive

What is the impact of leaving a database unencrypted?

How do you encrypt the database estate safely?

1. Inventory every database and prioritise by data sensitivity

2. Migrate the immutable engines: snapshot, copy with a KMS key, restore

3. Use the in-place path where the engine offers one

4. Clean up legacy snapshots and enforce encryption by default

Quick quiz

Keep learning

Encrypting databases at rest: the cost and risk view

The setting you can never change your mind on

How a finance partner frames a wall of unencrypted-database findings

Why database encryption belongs on the risk register

What finance can actually do about this

1. Track the regulated-data subset, not the raw count

2. Require an owner and a committed date per regulated database

3. Make encryption-by-default a condition of closing the item

Quick quiz

Keep learning

Encrypting databases at rest: the headline

The setting you can never change your mind on

What it looks like when encryption at rest is a standard, not a backlog item

Why this is a board-level risk

The leadership move on this category

1. Set encryption at rest as a non-negotiable standard

2. Require an owner and a date on every exception

3. Insist on the prevention guardrail as the real deliverable

Quick quiz

Keep learning

Controls this lesson covers

DocumentDB

DynamoDB

ElastiCache

Neptune

Opensearch

RDS

Redshift

Related compliance lessons