Setting an encryption key for a replication instance - Amazon Database Migration Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting an encryption key for a replication instance

Amazon DMS encrypts the storage used by a replication instance and the endpoint connection information. To encrypt the storage used by a replication instance, Amazon DMS uses a Amazon KMS key that is unique to your Amazon account. You can view and manage this KMS key with Amazon Key Management Service (Amazon KMS). You can use the default KMS key in your account (aws/dms) or a KMS key that you create. If you have an existing Amazon KMS encryption key, you can also use that key for encryption.

You can specify your own encryption key by supplying a KMS key identifier to encrypt your Amazon DMS resources. When you specify your own encryption key, the user account used to perform the database migration must have access to that key. For more information on creating your own encryption keys and giving users access to an encryption key, see the Amazon KMS Developer Guide.

If you don't specify a KMS key identifier, then Amazon DMS uses your default encryption key. KMS creates the default encryption key for Amazon DMS for your Amazon account. Your Amazon account has a different default encryption key for each Amazon Region.

To manage the keys used for encrypting your Amazon DMS resources, you use Amazon KMS. You can find Amazon KMS in the Amazon Web Services Management Console by searching for KMS on the navigation pane.

Amazon KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Using Amazon KMS, you can create encryption keys and define the policies that control how these keys can be used. Amazon KMS supports Amazon CloudTrail, so you can audit key usage to verify that keys are being used appropriately. Your Amazon KMS keys can be used in combination with Amazon DMS and other supported Amazon services. Supported Amazon services include Amazon RDS, Amazon S3, Amazon Elastic Block Store (Amazon EBS), and Amazon Redshift.

When you have created your Amazon DMS resources with a specific encryption key, you can't change the encryption key for those resources. Make sure to determine your encryption key requirements before you create your Amazon DMS resources.