Issue
I'm trying to find out if the Heroku Postgres database created on my app is encrypted with a Customer Master Key (CMK) using AWS KMS.
Resolution
Heroku Postgres allows functionality to use AWS Key Management Service (KMS) to create a Customer Master Key (CMK) at the time of add-on creation for encryption in Private and Shield Spaces. More details here: https://devcenter.heroku.com/articles/encrypting-heroku-postgres-with-your-key.
If a Heroku Postgres was created with an encryption key, an additional option Customer Encryption Key
can be seen in the output of the command heroku pg:info
:
Customer Encryption Key: arn:aws:kms:<region>-<az>-x:xxxxxxxxxx:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
For all other Heroku Postgres databases created without this key, the above details are not available.
This should help in identifying if encryption was used while creating the addon.