Existing Aurora MySQL Cluster: Encryption at rest from zero to KMS
Updated: Jul 11
Have you ever wanted to encrypt an unencrypted Aurora MySQL Cluster with the mínimum downtime?
You know you can not create an encrypted replica from an unencrypted Aurora cluster.
So I’m going to explain how to encrypt an unencrypted Aurora MySQL database using the binlog replication feature.
I will assume that you have a custom DNS record for the database that points to the Aurora cluster endpoint. Well, let’s do it!
Enable binlog
First, you have to enable BinLogs on the existing Aurora Cluster.
Select the cluster parameter group of the Aurora cluster
Select the parameter binlog_format
Modify the value to ROW
Then, reboot the DB instance to apply the change.
Create a new Aurora cluster from a snapshot
In AWS RDS console, go to Snapshots
Select the System tab
Select the latest snapshot of the Aurora Cluster. For example: rds:my-aurora-cluster-2020-09-15-05-00
In Actions, select Restore snapshot, and then configure the instance according to your needs but ensure to enable encryption using the default aws/kms key.
Wait until the new cluster is ready
Configure Binlog replication to migrate the data
In the old DB cluster, create a new DB user specifically for replication and grant permissions:
mysql> CREATE USER 'repl_user'@'<domain_name>' IDENTIFIED BY '<password>';
mysql> GRANT REPLICATION CLIENT, REPLICATION SLAVE ON *.* TO 'repl_user'@'<domain_name>';
In the new DB cluster, enable replication (the filename and position can be found in the Events list of the new DB instance):
mysql> CALL mysql.rds_set_external_master ('niceonesa-prod-db-cluster.cluster-cemqzytdtxal.eu-west-1.rds.amazonaws.com', 3306, 'repl_user', '<password>', '<filename>', <position>, 0);
mysql> CALL mysql.rds_start_replication;
Wait until the load is complete and validate that the ongoing replication continues with replication lag = 0
Migration
Schedule a maintenance window.
Set the site in maintenance mode.
Stop the servers to prevent transactions being recorded on the old DB while switching the database
Stop the old DB cluster.
Stop BinLog replication in the new DB cluster:
mysql> CALL mysql.rds_stop_replication;
Change DNS record of the cluster DB to point to the new DB cluster endpoint
Set the site in production mode.
And that’s it. Now you have a fully functional Aurora MySQL cluster with encryption at rest using KMS.
TeraTips!