AWS RDS Aurora cluster enable encryption

0
votes

I am having an AWS RDS Aurora PostgreSQL cluster with four instances with a Multi-AZ deployment serving in Production. Encryption-at-rest hasn't been enabled on this cluster. Now I have to enable the encryption on this existing cluster. AWS docs suggest me to create a snapshot of that cluster and then restore the cluster again with the encryption enabled this time. Ref: Here

Since my cluster is serving in production and no downtime or I/O suspension is acceptable to me. Here are some questions that I would like to get answered before I plan about encrypting the existing cluster:

  1. Is there any downtime during the creation of the snapshot assuming there is a lot of data and a snapshot will take time.
  2. What about the new data that is being written on to the database during the snapshot creation? Is the snapshot creation real-time or I will lose my new data during the time till the snapshot is being taken?
  3. Is this the only way for me to enable encryption on the production cluster knowing that it will result in some database outage?
1
amazon-web-servicesencryptionamazon-rdsamazon-aurora
If you restore from snapshot, you restore to NEW database. So you have downtime anyway.Marcin
@Marcin yeah! is this the only way for me as I can't tell other people to stop writing to the database during the snapshot? It will disrupt my production.SurvivorX
I don't know any other way. You can't enable encryption on existing db. You snapshot it, encrypt the snapshot, and restore to new db. You users will have to switch to new db anyway and you will have gap in data, as your old db will have new data not present in the new, restored database written to it after snapshot was taken.Marcin

1 Answers

1
votes

There is a way to encrypt your AWS RDS Amazon Aurora with PostgreSQL compatibility Cluster with no or minimum downtime, but it will take a bit of effort.

You need to take the following steps:

  1. For the source DB, you have to take snapshot.
  2. Then copy that snapshot, and check Enable Encryption and select Default Encryption Key or select your Custom AWS KMS CMK, now you have an encrypted copy of your DB snapshot.
  3. Restore this encrypted snapshot to the new DB instance, and you can enable Multi-AZ and add Read Replicas now or modify them after migration.
  4. Now you have two DB instances Encrypted and Unencrypted, but the data mismatched as it is a production database.
  5. We will use AWS DMS to make synchronous replication of data, or ou can use PostgreSQL logical replication with Aurora instead of AWS DMS, it will be better, both will works.
  6. Go to AWS DMS console, create an AWS DMS task.
  7. For migration type, choose Migrate existing data and replicate ongoing changes.
  8. For target table preparation mode, choose Truncate.
  9. Under Advanced Task Settings, enable the awsdms_status table if you want to verify replication status.
  10. Run the migration task and wait until all the records are updated. AWS DMS will then determine the size of the data to migrate.
  11. Then, you need to verify the data in the Encrypted DB instance after migration is the same as the Unencrypted DB instance.
  12. Check replication status in AWS DMS, by checking the migration task and awsdms_status.
  13. You can now route traffic to the new endpoint.
  14. For a smooth cutover, use Amazon Route 53 to route traffic by changing the DNS TTL to a short value, and eventually replacing the endpoint names in Route 53.

Now replying to your questions,

  1. Is there any downtime during the creation of the snapshot assuming there is a lot of data and a snapshot will take time.

According to you cluster setup, you are running a Multi-AZ deployment, automated backups and DB Snapshots are simply taken from the standby to avoid I/O suspension on the primary. Please note that you may experience increased I/O latency (typically lasting a few minutes) during backups for both Single-AZ and Multi-AZ deployments.

  1. What about the new data that is being written on to the database during the snapshot creation? Is the snapshot creation real-time or I will lose my new data during the time till the snapshot is being taken?

You will lose your data written after the snapshot has been taken, so you will use AWS DMS to replicate synchronous data to your encrypted DB instances.

  1. Is this the only way for me to enable encryption on the production cluster knowing that it will result in some database outage?

Yes this is the only way, but it will result in no or little downtime.