top of page

Existing Aurora MySQL Cluster: Encryption at rest from zero to KMS

Have you ever wanted to encrypt an unencrypted Aurora MySQL Cluster with the mínimum downtime?


You know you can not create an encrypted replica from an unencrypted Aurora cluster.

So I’m going to explain how to encrypt an unencrypted Aurora MySQL database using the binlog replication feature.

I will assume that you have a custom DNS record for the database that points to the Aurora cluster endpoint. Well, let’s do it!

Enable binlog

First, you have to enable BinLogs on the existing Aurora Cluster.

  1. Select the cluster parameter group of the Aurora cluster

  2. Select the parameter binlog_format

  3. Modify the value to ROW

  4. Then, reboot the DB instance to apply the change.

Create a new Aurora cluster from a snapshot

  1. In AWS RDS console, go to Snapshots

  2. Select the System tab

  3. Select the latest snapshot of the Aurora Cluster. For example: rds:my-aurora-cluster-2020-09-15-05-00

  4. In Actions, select Restore snapshot, and then configure the instance according to your needs but ensure to enable encryption using the default aws/kms key.

  5. Wait until the new cluster is ready

Configure Binlog replication to migrate the data

In the old DB cluster, create a new DB user specifically for replication and grant permissions:

mysql> CREATE USER 'repl_user'@'<domain_name>' IDENTIFIED BY '<password>';

mysql> GRANT REPLICATION CLIENT, REPLICATION SLAVE ON *.* TO 'repl_user'@'<domain_name>';

In the new DB cluster, enable replication (the filename and position can be found in the Events list of the new DB instance):

mysql> CALL mysql.rds_set_external_master ('', 3306, 'repl_user', '<password>', '<filename>', <position>, 0);

mysql> CALL mysql.rds_start_replication;

Wait until the load is complete and validate that the ongoing replication continues with replication lag = 0


  1. Schedule a maintenance window.

  2. Set the site in maintenance mode.

  3. Stop the servers to prevent transactions being recorded on the old DB while switching the database

  4. Stop the old DB cluster.

  5. Stop BinLog replication in the new DB cluster:

mysql> CALL mysql.rds_stop_replication;

  1. Change DNS record of the cluster DB to point to the new DB cluster endpoint

  2. Set the site in production mode.

And that’s it. Now you have a fully functional Aurora MySQL cluster with encryption at rest using KMS.



Entradas recientes
Buscar por tags
  • Twitter Basic Square
bottom of page