How is RDS instance restored from an encrypted snapshot?

1
votes

The RDS User Guide says there are two ways to enable encryption of an RDS instance:

  1. When you create it

  2. You do it through (not shared) snapshot:

you can create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance.

I want to understand what level this encryption is applied to.

My guess is that the encryption only applies to each cell in the table. Otherwise, if the entire database is encrypted as a whole, then the schema, the table name, the column name cannot be seen, then how can an instance be restored from it?

Is my understanding correct?

1
databaseamazon-web-servicesencryptionamazon-rds

1 Answers

1
votes

only applies to each cell in the table

It does not. Its the entire EBS snapshot that is encrypted.

then how can an instance be restored from it

AWS will use your or AWS managed keys from KMS (AWS Key Managment Service) to decrypt your snapshot. This happens in the background and you don't see it. If you use your own KMS key, and you delete it, then your snapshots can't be decrypted and you loose all your data.

More on the EBS encryption is in How Amazon Elastic Block Store (Amazon EBS) uses AWS KMS