RDS Encryption with KMS: What Really Happens Behind the Scenes

When you enable encryption for an Amazon RDS database using AWS KMS, AWS says your data is "encrypted at risk". But what does that actually mean internally? Is the data always encrypted? How does RD