Existing Aurora MySQL Cluster: Encryption at rest from zero to KMS

Have you ever wanted to encrypt an unencrypted Aurora MySQL Cluster with the mínimum downtime?

You know you can not create an encrypted replica from an unencrypted Aurora cluster.

So I’m going to explain how to encrypt an unencrypted Aurora MySQL database using the binlog replication feature.

I will assume that you have a custom DNS record for the database that points to the Aurora cluster endpoint. Well, let’s do it!

Enable binlog

First, you have to enable BinLogs on the existing Aurora Cluster.

1. Select the cluster parameter group of the Aurora cluster

2. Select the parameter binlog_format

3. Modify the value to ROW

4. Then, reboot the DB instance to apply the change.

Create a new Aurora cluster from a snapshot

1. In AWS RDS console, go to Snapshots

2. Select the System tab

3. Select the latest snapshot of the Aurora Cluster. For example: rds:my-aurora-cluster-2020-09-15-05-00

4. In Actions, select Restore snapshot, and then configure the instance according to your needs but ensure to enable encryption using the default aws/kms key.

5. Wait until the new cluster is ready

Configure Binlog replication to migrate the data

In the old DB cluster, create a new DB user specifically for replication and grant permissions:

mysql> CREATE USER 'repl_user'@'<domain_name>' IDENTIFIED BY '<password>';

mysql> GRANT REPLICATION CLIENT, REPLICATION SLAVE ON *.* TO 'repl_user'@'<domain_name>';

In the new DB cluster, enable replication (the filename and position can be found in the Events list of the new DB instance):

mysql> CALL mysql.rds_set_external_master ('niceonesa-prod-db-cluster.cluster-cemqzytdtxal.eu-west-1.rds.amazonaws.com', 3306, 'repl_user', '<password>', '<filename>', <position>, 0);

mysql> CALL mysql.rds_start_replication;

Wait until the load is complete and validate that the ongoing replication continue with replication lag = 0

Migration

1. Schedule a maintenance window.

2. Set the site in maintenance mode.