Six layers of security that protect your database at different levels.

1. At-Rest Encryption

Encrypts data saved on disk. If someone physically steals the storage, they cannot read anything.

• Uses AWS KMS (Key Management Service) to manage encryption keys
• Must be enabled at the time of creating the database — cannot be turned on later for a running DB
• If the master DB is encrypted, all its read replicas are automatically encrypted
• If the master DB is NOT encrypted, replicas cannot be encrypted either

Encrypting an Existing (Unencrypted) Database

You cannot enable encryption directly on a running database. The workaround:

1. Take a snapshot of the unencrypted database
2. Restore the snapshot with encryption enabled
3. You now have an encrypted database

2. In-Flight Encryption

Encrypts data while it travels over the network between your app and the database — so it cannot be intercepted in transit.

• Uses TLS (Transport Layer Security) — same as HTTPS for websites
• Enabled by default on RDS and Aurora — nothing to configure
• Your app should use AWS TLS root certificates on the client side

At-rest = locking data in a safe. In-flight = transporting it in an armored truck.

3. IAM Authentication