Ensure that your RDS database instances are using KMS CMK customer-managed keys rather than AWS managed-keys (default keys used by RDS when there are no customer keys available), in order to have more granular control over your data-at-rest encryption/decryption process.
RDS encryption is set at database creation, so to remedy this problem, a new database is created, the data from the old database migrated to it, and the old database deleted.:
1. Login to the AWS Management Console and navigate to https://console.aws.amazon.com/rds/.
2. Select ‘Create database’.
3. On the ‘Select engine’ page, select ‘Engine options’ and ‘Next’.
4. On the ‘Select use case’ page, select ‘Use case’ of database and ‘Next’.
5. On the ‘Specify DB details’ page, specify the database details you need and click ‘Next’.
6. On the ‘Configure advanced settings’ page, Under ‘Encryption’, select ‘Enable encryption’ and select the customer managed key [i.e. Other than (default)aws/rds] from ‘Master key’ dropdown list]..
7. Select ‘Create database’.