diff --git a/elasticache-redis/replication-group/README.md b/elasticache-redis/replication-group/README.md
index 86b6cec..2604756 100644
--- a/elasticache-redis/replication-group/README.md
+++ b/elasticache-redis/replication-group/README.md
@@ -15,15 +15,16 @@ Provision a Redis cluster using AWS ElastiCache.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.5.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_client_security_group"></a> [client\_security\_group](#module\_client\_security\_group) | ../../security-group |  |
-| <a name="module_server_security_group"></a> [server\_security\_group](#module\_server\_security\_group) | ../../security-group |  |
+| <a name="module_client_security_group"></a> [client\_security\_group](#module\_client\_security\_group) | ../../security-group | n/a |
+| <a name="module_customer_kms"></a> [customer\_kms](#module\_customer\_kms) | github.com/thoughtbot/terraform-aws-secrets//customer-managed-kms | 3e5155d |
+| <a name="module_server_security_group"></a> [server\_security\_group](#module\_server\_security\_group) | ../../security-group | n/a |
 
 ## Resources
 
diff --git a/elasticache-redis/replication-group/main.tf b/elasticache-redis/replication-group/main.tf
index 8950d6f..a782d39 100644
--- a/elasticache-redis/replication-group/main.tf
+++ b/elasticache-redis/replication-group/main.tf
@@ -5,7 +5,7 @@ resource "aws_elasticache_replication_group" "this" {
   automatic_failover_enabled    = local.replica_enabled
   engine                        = var.engine
   engine_version                = var.engine_version
-  kms_key_id                    = var.kms_key == null ? null : var.kms_key.id
+  kms_key_id                    = var.kms_key == null ? module.customer_kms.kms_key_arn : var.kms_key.id
   multi_az_enabled              = local.replica_enabled
   node_type                     = var.node_type
   num_cache_clusters            = local.instance_count
@@ -35,6 +35,12 @@ resource "aws_elasticache_replication_group" "this" {
   }
 }
 
+module "customer_kms" {
+  source = "github.com/thoughtbot/terraform-aws-secrets//customer-managed-kms?ref=3e5155d"
+
+  name = var.name
+}
+
 resource "aws_elasticache_subnet_group" "this" {
   name = coalesce(
     var.subnet_group_name,
diff --git a/rds-postgres/primary-instance/README.md b/rds-postgres/primary-instance/README.md
index 682f861..481943f 100644
--- a/rds-postgres/primary-instance/README.md
+++ b/rds-postgres/primary-instance/README.md
@@ -24,6 +24,7 @@ Provision a Postgres database using AWS RDS.
 |------|--------|---------|
 | <a name="module_alarms"></a> [alarms](#module\_alarms) | ../cloudwatch-alarms | n/a |
 | <a name="module_client_security_group"></a> [client\_security\_group](#module\_client\_security\_group) | ../../security-group | n/a |
+| <a name="module_customer_kms"></a> [customer\_kms](#module\_customer\_kms) | github.com/thoughtbot/terraform-aws-secrets//customer-managed-kms | 3e5155d |
 | <a name="module_parameter_group"></a> [parameter\_group](#module\_parameter\_group) | ../parameter-group | n/a |
 | <a name="module_server_security_group"></a> [server\_security\_group](#module\_server\_security\_group) | ../../security-group | n/a |
 
@@ -95,5 +96,6 @@ Provision a Postgres database using AWS RDS.
 | <a name="output_identifier"></a> [identifier](#output\_identifier) | Identifier of the created RDS database |
 | <a name="output_initial_password"></a> [initial\_password](#output\_initial\_password) | Initial admin password for connecting to this database |
 | <a name="output_instance"></a> [instance](#output\_instance) | The created RDS database instance |
+| <a name="output_primary_kms_key"></a> [primary\_kms\_key](#output\_primary\_kms\_key) | KMS key arn in use by primary database instance. |
 | <a name="output_server_security_group_id"></a> [server\_security\_group\_id](#output\_server\_security\_group\_id) | Name of the security group created for the server |
 <!-- END_TF_DOCS -->
diff --git a/rds-postgres/primary-instance/main.tf b/rds-postgres/primary-instance/main.tf
index f28146a..a19eeb5 100644
--- a/rds-postgres/primary-instance/main.tf
+++ b/rds-postgres/primary-instance/main.tf
@@ -11,7 +11,7 @@ resource "aws_db_instance" "this" {
   identifier                      = var.identifier
   instance_class                  = var.instance_class
   iops                            = var.iops
-  kms_key_id                      = var.kms_key_id
+  kms_key_id                      = local.primary_kms_key
   maintenance_window              = var.maintenance_window
   max_allocated_storage           = var.max_allocated_storage
   multi_az                        = var.multi_az
@@ -50,6 +50,12 @@ resource "aws_db_instance" "this" {
   }
 }
 
+module "customer_kms" {
+  source = "github.com/thoughtbot/terraform-aws-secrets//customer-managed-kms?ref=3e5155d"
+
+  name = var.identifier
+}
+
 resource "random_id" "snapshot_suffix" {
   byte_length = 4
 }
@@ -148,4 +154,6 @@ locals {
     local.owned_vpc_security_group_ids,
     local.shared_vpc_security_group_ids
   )
+
+  primary_kms_key = var.kms_key_id == null ? module.customer_kms.kms_key_arn : var.kms_key_id
 }
diff --git a/rds-postgres/primary-instance/outputs.tf b/rds-postgres/primary-instance/outputs.tf
index c146e40..53fcd85 100644
--- a/rds-postgres/primary-instance/outputs.tf
+++ b/rds-postgres/primary-instance/outputs.tf
@@ -38,6 +38,11 @@ output "instance" {
   value       = aws_db_instance.this
 }
 
+output "primary_kms_key" {
+  description = "KMS key arn in use by primary database instance."
+  value       = local.primary_kms_key
+}
+
 output "server_security_group_id" {
   description = "Name of the security group created for the server"
   value       = join("", module.server_security_group.*.id)