Encryption at rest can be enabled – includes DB storage, backups, read replicas and snapshots.
You can only enable encryption for an instance during creation time, it cannot be changed.
Transparent Data Encryption (TDE) can be used for Oracle and SQL Server.
AWS KMS is used to manage encryption keys.
Read replicas from a encrypted database in the same region use the same keys as the primary, but if it’s in a different region it used a different key.
You cannot restore an unencrypted backup to an encrypted DB instance.
