Which solution will meet these requirements?
Modify the unencrypted DB cluster using the AWS Management Console. Enable encryption and choose to apply the change immediately.
Take a snapshot of the unencrypted DB cluster and restore it to a new DB cluster with encryption enabled. Update any database connection strings to reference the new DB cluster endpoint, and then delete the unencrypted DB cluster.
Create an encrypted Aurora Replica of the unencrypted DB cluster. Promote the Aurora Replica as the new master.
Create a new DB cluster with encryption enabled and use the pg_dump and pg_restore utilities to load data to the new DB cluster. Update any database connection strings to reference the new DB cluster endpoint, and then delete the unencrypted DB cluster.
Explanations:
Aurora does not allow enabling encryption on an existing unencrypted DB cluster. Encryption must be enabled during the creation of the DB cluster, not modified afterward.
Taking a snapshot of the unencrypted DB cluster and restoring it to a new encrypted DB cluster is the recommended method. This approach minimizes downtime and ensures that the new cluster is encrypted.
Aurora Replicas can be encrypted, but they must be created in an encrypted cluster. However, you cannot directly convert an unencrypted DB cluster into an encrypted one using an Aurora Replica.
Using pg_dump and pg_restore utilities requires significant manual intervention and would result in more downtime compared to the snapshot-and-restore method. It’s not the optimal solution for minimal downtime.
From what I’ve heard, the answer is:
Take a snapshot of the unencrypted DB cluster and restore it to a new DB cluster with encryption enabled. Update any database connection strings to reference the new DB cluster endpoint, and then delete the unencrypted DB cluster.