CloudAgent gives you AI agents that manage your cloud infrastructure. They handle tasks like security compliance, cost optimization, deployments, and monitoring. You remain in control as agents show you their plans, wait for your approval, then execute. Think of it as having a cloud operations team that works 24/7 without needing to hire an army of cloud experts.

How can AI agents be trusted with production cloud infrastructure?

You stay in control through approval workflows where every infrastructure change can require human approval before execution, custom security controls with granular access rules, complete audit trails of every action, self-hosted deployment options, and progressive trust models starting with read-only access.

How does it actually reduce costs?

CloudAgent agents delete unused resources, schedule non-production shutdowns, right-size infrastructure based on usage patterns, and recommend architectural optimizations. Early customers report 15-40% cost reduction within 90 days. Unlike dashboards, CloudAgent actually fixes the problems.

1. Assessment

Inventory RDS DB instances and their storage encryption settings
Inventory RDS DB clusters and their storage encryption settings
Inventory KMS keys suitable for RDS storage encryption
User: Select RDS resources for migration and choose KMS keys

2. Configuration

Plan and orchestrate migration of unencrypted RDS DB instances to KMS-encrypted instances
Plan and orchestrate migration of unencrypted RDS DB clusters to KMS-encrypted clusters
Update RDS endpoints or DNS records to use encrypted RDS resources
Decommission unencrypted RDS instances and clusters after migration

3. Validation

Validate encryption configuration on migrated RDS DB instances
Validate encryption configuration on migrated RDS DB clusters
User: Validate application connectivity and behavior using encrypted RDS endpoints

1 Credits

Enable KMS-Based Storage Encryption for RDS Instances and Clusters

Overview

Enable storage encryption for your Amazon RDS databases using AWS KMS, by migrating unencrypted instances and clusters to encrypted equivalents. This plan helps you:

Discover all RDS DB instances and clusters in scope and understand their current encryption posture.
Identify and select suitable KMS keys for RDS storage encryption.
Guide you through planning and executing snapshot‑based migrations to encrypted instances and clusters, with clear rollback options.
Update application endpoints or DNS names so traffic flows to the new encrypted databases.
Validate both the RDS configurations and application behavior after migration, then safely decommission legacy unencrypted resources.

The workflow is organized into three phases—Assessment, Configuration, and Validation—to reduce risk and provide clear checkpoints before and after each migration step.

Execution Details

Assessment

This phase builds a complete picture of your current RDS and KMS setup and collects your migration decisions.

Inventory RDS DB instances

Enumerate all RDS DB instances in scope and capture key metadata: identifiers, engine and version, instance class, Region/AZ, storage type and size, subnet group, VPC, and status.
Determine for each instance whether storage encryption is enabled and, if so, which KMS key is used.
Produce a structured inventory (table/JSON) distinguishing encrypted vs. unencrypted instances for use in later tasks.

Inventory RDS DB clusters (including Aurora)

Enumerate all RDS DB clusters (Aurora and non‑Aurora), collecting identifiers, engine and version, status, subnet group, VPC, and member instances with their roles (writer/reader).
Determine cluster‑level storage encryption status and associated KMS key, and note whether member instances belong to encrypted or unencrypted clusters.
Produce a structured inventory highlighting which clusters are already encrypted vs. unencrypted.

Inventory KMS keys suitable for RDS

List customer‑managed KMS keys available in the Regions where RDS resources run.
Record key IDs/ARNs, state (enabled/disabled/pending deletion), type/usage, and helpful aliases or descriptions.
Perform a high‑level check that keys are enabled and usable by RDS.
Identify one or more recommended default keys for RDS encryption and store a structured catalog of candidate keys for later selection.

User selection of RDS resources and KMS keys

Present you with:
- The instance inventory, clearly marking encrypted vs. unencrypted and current KMS keys.
- The cluster inventory, similarly annotated.
- The list of candidate KMS keys with aliases and descriptions.
Guide you through choosing which unencrypted instances and clusters to migrate now, and which to exclude.
For each selected resource, capture the desired target KMS key, plus any preferences such as using different keys per environment or application.
Record your confirmations and exclusions, and produce a final mapping of RDS resources to their target KMS keys for the migration phase.

Configuration

This phase performs the actual migrations to encrypted storage, redirects traffic to the new resources, and retires old unencrypted databases once safe.

Migrate unencrypted RDS DB instances to encrypted instances

Use the approved inventory to finalize which unencrypted DB instances will be migrated and which KMS key each will use.
Confirm that each instance supports manual snapshots and restore‑from‑snapshot, and that backups/snapshots are functional.
Capture the instance configuration (class, storage, networking, parameter and option groups, backup and maintenance settings) to replicate or intentionally adjust on the target encrypted instance.
Define a migration window per instance, including acceptable downtime and a documented rollback strategy (retaining the original instance and key snapshots).
Just before migration:
- Quiesce or stop write traffic to the original instance.
- Take a fresh manual snapshot and wait until it is available.
Restore a new DB instance from the latest snapshot, specifying the chosen KMS key and mirroring or adjusting configuration as planned. Use a temporary identifier to avoid conflicts.
Verify that each new instance is available, reports encryption enabled with the correct KMS key, and passes basic connectivity and query tests.
Document the mapping between original and replacement instances (identifiers and endpoints).
Plan and then execute the cutover:
- Keep writes stopped on the original instance.
- Update endpoints, identifiers, DNS, or application configuration so traffic now targets the encrypted instance.
Confirm post‑cutover that applications are using the encrypted instance and that performance and stability are acceptable.
Keep the original unencrypted instance and snapshots for a defined rollback period, then document final state (original vs. new identifiers, KMS keys, snapshots, cutover time) and any instances that could not be migrated via this method.

Migrate unencrypted RDS DB clusters (including Aurora) to encrypted clusters

Confirm the list of unencrypted clusters selected for migration and the KMS key to use for each.
Validate that each cluster supports manual cluster snapshots and restore‑from‑snapshot to create an encrypted cluster.
Capture the existing cluster configuration: engine/version, number and classes of instances, writer/reader roles, networking, parameter groups, backup retention, and maintenance windows.
Define a migration window per cluster, including downtime constraints, failover expectations, and rollback plans (keeping the original cluster and snapshots).
Just before migration:
- Quiesce or stop writes to the original cluster.
- Create fresh manual cluster snapshots and wait until they are available.
Restore new encrypted clusters from these snapshots, specifying the chosen KMS keys and mirroring or adjusting configuration as planned. Use temporary cluster and instance identifiers.
Verify that:
- The new cluster and all member instances are available and encrypted with the correct KMS key.
- Writer and reader endpoints are created and working.
- Basic connectivity and simple queries succeed against writer and reader endpoints.
Document mapping between original and new cluster endpoints, including any custom endpoints.
Plan and then execute cutover:
- Ensure writes to the old cluster remain stopped.
- Update DNS, connection strings, or custom endpoints to point to the encrypted writer/reader endpoints.
Confirm applications are successfully using the encrypted cluster and that cluster health, instance health, and failover behavior are acceptable through an observation period.
Retain the original cluster and snapshots for rollback, then document final state and any clusters that could not be migrated via this approach.

Update RDS endpoints or DNS to use encrypted resources

Use the documented mappings to identify all application connection points that still reference unencrypted instance or cluster endpoints.
For each migrated instance and cluster, decide whether cutover is via renaming, direct configuration changes, or DNS updates.
Apply the planned changes so all applications now point to the encrypted endpoints (instance, writer, reader, and any custom endpoints).
Confirm the updated endpoints/DNS names resolve correctly and validate that no application configurations still reference the old unencrypted endpoints.
Record the final mapping of application endpoints and DNS names to the encrypted RDS resources for future reference and rollback planning.

Decommission unencrypted RDS resources

Confirm that all targeted instances and clusters have been successfully migrated and that all applications are using encrypted endpoints.
Check that rollback windows have expired and that there is no remaining active usage on the original unencrypted resources.
Ensure any required final snapshots or backups are created and retained according to organizational policies.
Decommission unencrypted RDS instances and clusters that are no longer needed, following your data retention and governance requirements.
Update documentation and inventories to remove retired unencrypted resources and mark encrypted replacements as the authoritative databases.
Note any unencrypted resources that must remain in place (for example, pending approvals or dependencies) and the reasons why.

Validation

This phase confirms that encryption is configured as intended and that applications behave correctly with the new encrypted databases.

Validate encryption for migrated DB instances

Retrieve the latest configuration for all migrated DB instances.
Confirm that storage encryption is enabled and that each instance is using the user‑approved KMS key.
Check that instance status is healthy/available and that there are no recent errors or failures related to the encryption change.
Verify that key configuration attributes (instance class, storage type, size) match the intended post‑migration design.
Produce a validation report indicating which instances are correctly configured and highlight any discrepancies with suggested remediation steps.

Validate encryption for migrated DB clusters

Retrieve the current configuration for all migrated clusters.
Confirm encryption is enabled at the cluster level, using the correct KMS key.
Validate that the cluster and all member instances are healthy and in expected states.
Ensure there are no recent errors tied to the migration and that primary configuration parameters (engine/version, instance counts/classes, networking settings) match the target design.
Update a validation report identifying correctly configured clusters and any that require follow‑up, documenting discrepancies and recommended next actions.

User validation of application connectivity and behavior

Provide application owners with the list of updated RDS endpoints and DNS names now pointing to encrypted resources.
Guide them to run application‑level tests to:
- Confirm connectivity.
- Validate critical operations (reads, writes, transactions, background jobs).
- Assess performance after migration.
Capture any reported issues that might be related to the encryption migration for further investigation.
Record application owner sign‑off on acceptable connectivity and behavior, or document outstanding issues and planned remediations.