RDS Encryptor

Overview

RDS Encryptor is a CLI tool that automates the encryption of Amazon RDS instances for SOC2 and CMMC compliance. The tool performs the following steps:

Creates a snapshot of the existing RDS instance.
Encrypts the snapshot using a specified AWS KMS key.
Restores a new RDS instance from the encrypted snapshot.
Configures DMS (AWS Database Migration Service) to migrate data.
Sets up and executes replication tasks to transfer data from the source to the encrypted instance.

Features

Automated RDS Encryption: Encrypts an RDS instance with a KMS key.
DMS Integration: Uses AWS DMS for seamless data migration.
Replication Support: Maintains database consistency during migration.
Parameter Group Management: Ensures correct settings for logical replication.

Installation

pip install rds-encryptor

Requirements

Created dms replication instance and kms key before running the tool. How to choose correct replication instance class?

Usage

Run the tool using the CLI:

rds-encryptor \
    --rds-instance-name my-rds-instance \
    --master-password mypassword \
    --kms-key-arn my-kms-key \
    --dms-replication-instance-arn my-dms-replication \
    --databases db1 db2 \
    --new-instance-identifier new-encrypted-instance

CLI Arguments

Argument	Short	Description
`--rds-instance-name`	`-r`	Source RDS instance ID
`--master-password`	`-p`	Master password for authentication
`--kms-key-arn`	`-k`	KMS key ARN for encryption
`--dms-replication-instance-arn`	`-i`	DMS replication instance ARN
`--databases`	`-d`	List of databases to encrypt and migrate
`--new-instance-identifier`	`-n`	Identifier for the new encrypted instance

Workflow

1. Validate Database Connections

Ensures the tool can connect to the source RDS instance before starting encryption.

2. Create Encrypted RDS Instance

Takes a snapshot of the existing instance.
Encrypts it using the specified KMS key.
Creates a new RDS instance from the encrypted snapshot.

3. Configure Parameter Groups

Adjusts wal_sender_timeout.
Enables pglogical in shared_preload_libraries.
Ensures rds.logical_replication is enabled.

4. Setup Database Migration

Configures DMS endpoints.
Creates replication tasks for each database.
Truncates the target database before migration.

5. Execute Migration

Runs the DMS replication tasks.
Ensures sequences and IDs are correctly migrated.

Logging

Logs are generated throughout the process, helping track the migration progress and any potential issues.

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

Name		Name	Last commit message	Last commit date
Latest commit History 14 Commits
.github/workflows		.github/workflows
rds_encryptor		rds_encryptor
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
LICENSE		LICENSE
README.md		README.md
dev.requirements.txt		dev.requirements.txt
poetry.lock		poetry.lock
pyproject.toml		pyproject.toml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

RDS Encryptor

Overview

Features

Installation

Requirements

Usage

CLI Arguments

Workflow

1. Validate Database Connections

2. Create Encrypted RDS Instance

3. Configure Parameter Groups

4. Setup Database Migration

5. Execute Migration

Logging

License

About

Uh oh!

Releases 2

Uh oh!

Languages

License

iYasha/aws-rds-encryptor

Folders and files

Latest commit

History

Repository files navigation

RDS Encryptor

Overview

Features

Installation

Requirements

Usage

CLI Arguments

Workflow

1. Validate Database Connections

2. Create Encrypted RDS Instance

3. Configure Parameter Groups

4. Setup Database Migration

5. Execute Migration

Logging

License

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases 2

Uh oh!

Languages