top of page

Existing Aurora MySQL Cluster: Encryption at rest from zero to KMS

Have you ever wanted to encrypt an unencrypted Aurora MySQL Cluster with the mínimum downtime?

You know you can not create an encrypted replica from an unencrypted Aurora cluster.

So I’m going to explain how to encrypt an unencrypted Aurora MySQL database using the binlog replication feature.

I will assume that you have a custom DNS record for the database that points to the Aurora cluster endpoint. Well, let’s do it!

Enable binlog

First, you have to enable BinLogs on the existing Aurora Cluster.

  1. Select the cluster parameter group of the Aurora cluster

  2. Select the parameter binlog_format

  3. Modify the value to ROW

  4. Then, reboot the DB instance to apply the change.

Create a new Aurora cluster from a snapshot

  1. In AWS RDS console, go to Snapshots

  2. Select the System tab

  3. Select the latest snapshot of the Aurora Cluster. For example: rds:my-aurora-cluster-2020-09-15-05-00

  4. In Actions, select Restore snapshot, and then configure the instance according to your needs but ensure to enable encryption using the default aws/kms key.

  5. Wait until the new cluster is ready

Configure Binlog replication to migrate the data

In the old DB cluster, create a new DB user specifically for replication and grant permissions:

mysql> CREATE USER 'repl_user'@'<domain_name>' IDENTIFIED BY '<password>';

mysql> GRANT REPLICATION CLIENT, REPLICATION SLAVE ON *.* TO 'repl_user'@'<domain_name>';

In the new DB cluster, enable replication (the filename and position can be found in the Events list of the new DB instance):

mysql> CALL mysql.rds_set_external_master ('', 3306, 'repl_user', '<password>', '<filename>', <position>, 0);

mysql> CALL mysql.rds_start_replication;

Wait until the load is complete and validate that the ongoing replication continue with replication lag = 0


  1. Schedule a maintenance window.

  2. Set the site in maintenance mode.

  3. Stop the servers to prevent transactions being recorded on the old DB while switching the database

  4. Stop the old DB cluster.

  5. Stop BinLog replication in the new DB cluster:

mysql> CALL mysql.rds_stop_replication;

  1. Change DNS record of the cluster DB to point to the new DB cluster endpoint

  2. Set the site in production mode.

And that’s it. Now you have a fully functional Aurora MySQL cluster with encryption at rest using KMS.

If you want to get more tips like these and much more information follow us and visit our page where you can find much more information about the Cloud world. Share this TeraTips!

Lucas Valor

DevOps Engineer


If you want to know more about our services, email to our team member

#Teracloud #AWSLatam #TeraTips #AWSSecurity #AWS #AuroraMySQL #encryption #Binlog

Entradas recientes