RDS databases

RDS provides robust tools for safeguarding your database, including comprehensive backup options and powerful encryption mechanisms. Let’s explore these features to ensure the security and resilience of your data.

Backup

Backups are crucial for data durability and recovery in the event of disruptions. RDS provides two types of backup methods:

• Automated backups: These allow you to recover the database instance to any point in time within a retention period of up to 35 days. These backups are triggered during the daily backup window and capture a full daily snapshot of data, as well as transaction logs. This is particularly useful for recovering from accidental user actions, such as deletions or updates.
• Database snapshots: These are user-initiated captures of the entire database instance. Unlike automated backups with a set retention period, snapshots are retained indefinitely until manually deleted. This makes them ideal for long-term backup needs or testing migrations before significant application changes.

Encryption

RDS offers extensive encryption capabilities to protect your data at rest:

• Volume encryption: RDS supports encryption at rest for all database engines with KMS-managed keys. Enabling this feature upon launching a new database encrypts the underlying storage, automated backups, snapshots, and read replicas. For existing unencrypted RDS instances, it involves creating a snapshot of the unencrypted database, making a copy of that snapshot with encryption enabled, and then restoring an encrypted RDS instance from the encrypted snapshot.
• Field-level encryption: This option provides granular protection by encrypting specific data fields within the database. This can be achieved through application-specific logic or database-level features such as Oracle and SQL Server’s transparent data encryption (TDE). TDE automates encryption and key management within the database itself. Notably, while KMS is incompatible with TDE, CloudHSM offers seamless integration with Oracle databases, handling encryption and decryption processes within the HSM.

Volume encryption serves as a robust foundation for RDS security. It protects the entire database if the underlying storage is compromised, which makes it ideal for situations where you need broad protection and compliance.

Field-level encryption adds a powerful, focused layer of security for your most sensitive assets. Consider this option in scenarios with strict compliance requirements or if you have specific concerns about unauthorized access within the database itself (beyond storage-level permissions.) However, keep in mind that field-level encryption may introduce performance impact, additional costs, and management complexity.