🔧 Learning AWS Day by Day — Day 39 — Amazon RDS — Part 2

Exploring AWS !!

Day 39:

Amazon RDS — Part 2

Previously we’ve learnt about backups, read replicas and disaster recovery strategies of RDS. Today we will dive deeper into some other concepts of RDS.

RDS Security — Encryption:
Encryption at Rest-

• Possibility to encrypt master and read replicas with AWS KMS-AES-256 encryption.
• Encryption has to be defined at launch time.
• If Master is not encrypted, Read Replicas cannot be encrypted.
• Transport Data Encryption (TDE) available for Oracle and SQL server. In Flight Encryption-
• SSL certificate to encrypt data to RDS in flight.
• Provide SSL options with Trust Certificates when connecting to database. To enforce SSL-
• PostgreSQL: rds:force_ssl=1 in the AWS RDS Console (Parameter Groups)
• MySQL: within Database: GRANT USAGE ON . TO ‘mysqluser’@’%’ REQUIRE SSL;

RDS Encryption Operation:
Encrypting RDS Backups:

• Snapshots of unencrypted RDS databases are unencrypted.
• Snapshots of encrypted RDS databases are encrypted.
• Can copy a snapshot into an encrypted one. To encrypt an unencrypted RDS database:
• Create a snapshot of unencrypted snapshot.
• Copy snapshot and enable encryption for snap.
• Restore database from encrypted snapshot.
• Migrate applications to new database and delete old database.

RDS Security — Network and IAM
Network security:

• RDS database are usually deployed in private subnets, not in public.
• RDS security works by leveraging security groups (same concept as for EC2 instance) — it controls which security group/IP can communicate with RDS. Access Management:
• IAM policies helps control who can manage RDS (through RDS API)
• Traditional username and password can be used to login to database.
• IAM based authentication can be used to login into RDS MySQL and PostgreSQL.

RDS IAM Authentication:

• IAM database authentication works with MySQL and PostgreSQL.
• You don’t need password, just need an authentication token through IAM and RDS API calls.
• Authentication token has a lifetime of 15 mins.

Benefits:

• Network in/out must be encrypted by using SSL.
• IAM to centrally manage user instead of database.
• Can leverage IAM roles and EC2 instance profiles for easy integration.

RDS Security Summary:
Encryption at Rest:

• is done only when you first create a database instance.
• or: unencrypted database -> snapshot -> copy snapshot as encrypted -> create database from snapshot. Your Responsibility:
• Check ports/IP/SG inbound rules in database’s security groups.
• In-database user creation and permission or manage through IAM.
• Creating database with or without public access.
• Ensure parameter group or database is configured to only allow SSL connection. AWS Responsibility:
• No SSH access.
• No manual OS patching
• No way to audit underlying instance.