AWS AmazonRDS documentation change
Summary
Updated documentation for Aurora encryption, including new default encryption behavior, key management options, and operational changes. Added details about AWS-owned keys, encryption timelines, and clarified limitations for encrypted resources.
Security assessment
The changes enhance documentation about encryption features but don't address a specific security vulnerability. Updates include new default encryption behavior (AWS-owned keys for clusters created after Feb 2026), expanded key management options (AWS-owned vs AWS-managed vs customer-managed keys), and clarified operational procedures for encryption management. While these improve security documentation, there's no evidence of patching a vulnerability.
Diff
diff --git a/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.md b/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.md index 519db6246..bd265bf4b 100644 --- a//AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.md +++ b//AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.md @@ -5 +5 @@ -Overview of encrypting Amazon Aurora resourcesEncrypting an Amazon Aurora DB clusterDetermining whether encryption is turned on for a DB clusterAvailability of Amazon Aurora encryptionEncryption in transitLimitations of Amazon Aurora encrypted DB clusters +Overview of encryption in Amazon Aurora resourcesEncrypting an Amazon Aurora DB clusterDetermining whether encryption is turned on for a DB clusterAvailability of Amazon Aurora encryptionEncryption in transitLimitations of Amazon Aurora encrypted DB clusters @@ -9 +9 @@ Overview of encrypting Amazon Aurora resourcesEncrypting an Amazon Aurora DB clu -Amazon Aurora can encrypt your Amazon Aurora DB clusters. Data that is encrypted at rest includes the underlying storage for DB clusters, its automated backups, read replicas, and snapshots. +Amazon Aurora protects your data both at rest and in transit—whether moving between on-premises clients and Amazon Aurora, or between Amazon Aurora and other AWS resources. Amazon Aurora encrypts all user data in your Amazon Aurora DB clusters including logs, automated backups, and snapshots. @@ -11 +11 @@ Amazon Aurora can encrypt your Amazon Aurora DB clusters. Data that is encrypted -Amazon Aurora encrypted DB clusters use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon Aurora DB clusters. After your data is encrypted, Amazon Aurora handles authentication of access and decryption of your data transparently with a minimal impact on performance. You don't need to modify your database client applications to use encryption. +After your data is encrypted, Amazon Aurora handles authentication of access and decryption of your data transparently with a minimal impact on performance. You don't need to modify your database client applications to use encryption. @@ -19 +19 @@ For encrypted and unencrypted DB clusters, data that is in transit between the s - * Overview of encrypting Amazon Aurora resources + * Overview of encryption in Amazon Aurora resources @@ -34 +34 @@ For encrypted and unencrypted DB clusters, data that is in transit between the s -## Overview of encrypting Amazon Aurora resources +## Overview of encryption in Amazon Aurora resources @@ -36 +36 @@ For encrypted and unencrypted DB clusters, data that is in transit between the s -Amazon Aurora encrypted DB clusters provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. You can use Amazon Aurora encryption to increase data protection of your applications deployed in the cloud, and to fulfill compliance requirements for encryption at rest. For an Amazon Aurora encrypted DB cluster, all DB instances, logs, backups, and snapshots are encrypted. For more information about the availability and limitations of encryption, see Availability of Amazon Aurora encryption and Limitations of Amazon Aurora encrypted DB clusters. +Amazon Aurora encrypted DB clusters provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. All new database clusters created on or after February 18, 2026 , in Amazon Aurora are encrypted at rest using industry standard AES-256 encryption. This encryption happens automatically in the background, securing your data without requiring any action from you. It also helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest, you can secure compliance-sensitive and security-critical applications against both accidental and malicious threats while meeting regulatory requirements. @@ -38 +38 @@ Amazon Aurora encrypted DB clusters provide an additional layer of data protecti -Amazon Aurora uses an AWS Key Management Service key to encrypt these resources. AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. You can use an AWS managed key, or you can create customer managed keys. +Amazon Aurora uses an AWS Key Management Service key to encrypt these resources. AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. When creating a new database cluster, Amazon Aurora uses Server-Side Encryption (SSE) with an [AWS-owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-key) by default. However, you can choose from three encryption types based on your security and compliance needs: @@ -40 +40,18 @@ Amazon Aurora uses an AWS Key Management Service key to encrypt these resources. -When you create an encrypted DB cluster, you can choose a customer managed key or the AWS managed key for Amazon Aurora to encrypt your DB cluster. If you don't specify the key identifier for a customer managed key, Amazon Aurora uses the AWS managed key for your new DB cluster. Amazon Aurora creates an AWS managed key for Amazon Aurora for your AWS account. Your AWS account has a different AWS managed key for Amazon Aurora for each AWS Region. + * **AWS owned key (SSE-RDS)** – A fully AWS-controlled encryption key that you cannot view or manage, used automatically by Aurora for default encryption. + + * **AWS managed key (AMK)** – This key is created and managed by AWS and is visible in your account but not customizable. There is no monthly fee, but AWS KMS API charges will apply. + + * **Customer managed key (CMK)** – The key is stored in your account and is created, owned, and managed by you. You have full control over the KMS key (AWS KMS charges apply). + + + + +AWS managed keys are a legacy encryption option that remains available for backward compatibility. Amazon Aurora uses AWS-owned keys by default to encrypt your data, providing strong security protection without additional charges or management overhead. For most use cases, we recommend using either the default AWS-owned key for simplicity and cost efficiency, or a customer managed key (CMK) if you require full control over your encryption keys. For more information about key types, see [ customer managed keys and AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt). + +###### Note + +**Important:** For source database instances or clusters created before February 18, 2026 , where you did not opt in for encryption, snapshots, clones, and Amazon Aurora replicas (read instance) created from those sources will remain unencrypted. However, restore operations and logical replication outside the Amazon Aurora cluster will produce encrypted instances. + +For an Amazon Aurora encrypted DB cluster, all DB instances, logs, backups, and snapshots are encrypted. For more information about the availability and limitations of encryption, see Availability of Amazon Aurora encryption and Limitations of Amazon Aurora encrypted DB clusters. + +When you create an encrypted DB cluster, you can choose a customer managed key or the AWS managed key for Amazon Aurora to encrypt your DB cluster, if you don't specify the key identifier for a customer managed key, Amazon Aurora uses the AWS managed key for your new DB cluster. Amazon Aurora creates an AWS managed key for Amazon Aurora for your AWS account. Your AWS account has a different AWS managed key for Amazon Aurora for each AWS Region. @@ -46 +63 @@ Using AWS KMS, you can create customer managed keys and define the policies to c - * Once you have created an encrypted DB instance, you can't change the KMS key used by that DB instance. Therefore, be sure to determine your KMS key requirements before you create your encrypted DB instance. + * Once you create an encrypted DB instance, you cannot change the KMS key used by that instance. Be sure to determine your KMS key requirements before creating your encrypted DB instance. If you need to change the encryption key for your DB cluster, follow these steps: @@ -48 +65 @@ Using AWS KMS, you can create customer managed keys and define the policies to c -If you must change the encryption key for your DB cluster, create a manual snapshot of your cluster and enable encryption while copying the snapshot. For more information, see [ re:Post Knowledge article](https://repost.aws/knowledge-center/update-encryption-key-rds). + * Create a manual snapshot of your cluster. @@ -50 +67 @@ If you must change the encryption key for your DB cluster, create a manual snaps - * If you copy an encrypted snapshot, you can use a different KMS key to encrypt the target snapshot than the one that was used to encrypt the source snapshot. + * Restore the snapshot and enable encryption with your desired KMS key during the restore operation. @@ -52 +69 @@ If you must change the encryption key for your DB cluster, create a manual snaps - * You can't share a snapshot that has been encrypted using the AWS managed key of the AWS account that shared the snapshot. + * If you restore an unencrypted snapshot and choose no encryption, the database cluster created will be encrypted using the default encryption at rest (AWS-owned key). @@ -54 +71 @@ If you must change the encryption key for your DB cluster, create a manual snaps - * Each DB instance in the DB cluster is encrypted using the same KMS key as the DB cluster. + * You can't share a snapshot that has been encrypted using the AWS managed key of the AWS account that shared the snapshot. @@ -56 +73 @@ If you must change the encryption key for your DB cluster, create a manual snaps - * You can also encrypt a read replica of an Amazon Aurora encrypted cluster. + * Each DB instance in the DB cluster shares the same storage encrypted with the same KMS key. @@ -63 +80 @@ If you must change the encryption key for your DB cluster, create a manual snaps -Amazon Aurora can lose access to the KMS key for a DB cluster when you disable the KMS key. In these cases, the encrypted DB cluster goes into `inaccessible-encryption-credentials-recoverable` state. The DB cluster remains in this state for seven days, during which the instance is stopped. API calls made to the DB cluster during this time might not succeed. To recover the DB cluster, enable the KMS key and restart this DB cluster. Enable the KMS key from the AWS Management Console, AWS CLI, or RDS API. Restart the DB cluster using the AWS CLI command [start-db-cluster](https://docs.aws.amazon.com/cli/latest/reference/rds/start-db-cluster.html) or AWS Management Console. +Amazon Aurora can lose access to the KMS key for a DB cluster when you disable the KMS key. In these cases, the encrypted DB cluster goes into `inaccessible-encryption-credentials-recoverable` state. The DB cluster remains in this state for seven days, during which the instance is stopped. API calls made to the DB cluster during this time might not succeed. To recover the DB cluster, enable the KMS key and restart this DB cluster. You can enable the KMS key from the AWS Management Console, AWS CLI, or RDS API. Restart the DB cluster using the AWS CLI command [start-db-cluster](https://docs.aws.amazon.com/cli/latest/reference/rds/start-db-cluster.html) or AWS Management Console. @@ -67 +84 @@ The `inaccessible-encryption-credentials-recoverable` state only applies to DB c -If the DB cluster isn't recovered within seven days, it goes into the terminal `inaccessible-encryption-credentials` state. In this state, the DB cluster is not usable anymore and you can only restore the DB cluster from a backup. We strongly recommend that you always turn on backups for encrypted DB clusters to guard against the loss of encrypted data in your databases. +If the DB cluster isn't recovered within seven days, it goes into the terminal `inaccessible-encryption-credentials` state. In this state, the DB cluster is not usable anymore and you can only restore the DB cluster from a backup. We strongly recommend that you always turn on backups to guard against the loss of data in your databases. @@ -75 +92,3 @@ For more information about KMS keys, see [AWS KMS keys](https://docs.aws.amazon. -To encrypt a new DB cluster, choose **Enable encryption** on the console. For information on creating a DB cluster, see [Creating an Amazon Aurora DB cluster](./Aurora.CreateInstance.html). +All new DB clusters created on or after February 18, 2026, are encrypted by default with an AWS owned key. + +To encrypt a new DB cluster, using AWS managed key or customer managed key, choose the option on the console. For information on creating a DB cluster, see [Creating an Amazon Aurora DB cluster](./Aurora.CreateInstance.html). @@ -97,3 +116 @@ You can use the AWS Management Console, AWS CLI, or RDS API to determine whether -It shows either **Enabled** or **Not enabled**. - - + @@ -169 +186,3 @@ The following limitations exist for Amazon Aurora encrypted DB clusters: - * You can't create an encrypted snapshot of an unencrypted DB cluster. + * If you have an existing unencrypted cluster, all snapshots created from that cluster will also be unencrypted. To create an encrypted snapshot from an unencrypted cluster, you must copy the snapshot and specify a customer managed key during the copy operation. You cannot create an encrypted snapshot from an unencrypted snapshot without specifying a customer managed key. + + * You can't create an encrypted snapshot of an unencrypted DB . @@ -175 +194 @@ The following limitations exist for Amazon Aurora encrypted DB clusters: - * You can't create an encrypted Aurora Replica from an unencrypted Aurora DB cluster. You can't create an unencrypted Aurora Replica from an encrypted Aurora DB cluster. + * If you have an existing unencrypted cluster, any Amazon Aurora replica (read instance) created from that cluster will also be unencrypted. To create an encrypted cluster from an unencrypted cluster, you need to restore the database cluster. The restored cluster will be encrypted by default after the restore operation.