Encryption and Downtime

  • For most resources, encryption can only be enabled at creation.

  • EFS - if you want to encrypt an EFS that is already exist, you'll need to create a new EFS and migrate your data.

  • RDS - if you want to encrypt existing RDS, you need to create new encrypted database and migrate your data.

  • EBS - encryption must be selected at creation time

    • you can not encrypt an unencrypted volume or unencrypt an encrypted volume.

    • you can migrate data between encrypted and unencrypted volumes (e.g. using rsync or Robocopy)

    • if you want to encrypt an existing volume, you can create a snapshot, copy the snapshot and apply encryption at the same time to give you an encrypted snapshot. Then restore the encrypted snapshot to a new encrypted volume.

  • S3 buckets - you can enable encryption on your buckets at any time.

  • S3 objects - you can enable individual S3 object encryption at any time.

Last updated