Saloni's AWS Blog

Learning AWS Day by Day — Day 39 — Amazon RDS — Part 2

Learning AWS Day by Day — Day 39 — Amazon RDS — Part 2

Saloni Singh's photo
Saloni Singh
·

2 min read

Exploring AWS !!

Day 39:

Amazon RDS — Part 2

Previously we’ve learnt about backups, read replicas and disaster recovery strategies of RDS. Today we will dive deeper into some other concepts of RDS.

RDS Security — Encryption:
Encryption at Rest-
- Possibility to encrypt master and read replicas with AWS KMS-AES-256 encryption.
- Encryption has to be defined at launch time.
- If Master is not encrypted, Read Replicas cannot be encrypted.
- Transport Data Encryption (TDE) available for Oracle and SQL server.
In Flight Encryption-
- SSL certificate to encrypt data to RDS in flight.
- Provide SSL options with Trust Certificates when connecting to database.
To enforce SSL-
- PostgreSQL: rds:force_ssl=1 in the AWS RDS Console (Parameter Groups)
- MySQL: within Database: GRANT USAGE ON . TO ‘mysqluser’@’%’ REQUIRE SSL;

RDS Encryption Operation:
Encrypting RDS Backups:
- Snapshots of unencrypted RDS databases are unencrypted.
- Snapshots of encrypted RDS databases are encrypted.
- Can copy a snapshot into an encrypted one.
To encrypt an unencrypted RDS database:
- Create a snapshot of unencrypted snapshot.
- Copy snapshot and enable encryption for snap.
- Restore database from encrypted snapshot.
- Migrate applications to new database and delete old database.

RDS Security — Network and IAM
Network security:
- RDS database are usually deployed in private subnets, not in public.
- RDS security works by leveraging security groups (same concept as for EC2 instance) — it controls which security group/IP can communicate with RDS.
Access Management: - IAM policies helps control who can manage RDS (through RDS API)
- Traditional username and password can be used to login to database.
- IAM based authentication can be used to login into RDS MySQL and PostgreSQL.

RDS IAM Authentication: - IAM database authentication works with MySQL and PostgreSQL.
- You don’t need password, just need an authentication token through IAM and RDS API calls.
- Authentication token has a lifetime of 15 mins.

Benefits: - Network in/out must be encrypted by using SSL.
- IAM to centrally manage user instead of database.
- Can leverage IAM roles and EC2 instance profiles for easy integration.

RDS Security Summary:
Encryption at Rest: - is done only when you first create a database instance.
- or: unencrypted database -> snapshot -> copy snapshot as encrypted -> create database from snapshot.
Your Responsibility:
- Check ports/IP/SG inbound rules in database’s security groups.
- In-database user creation and permission or manage through IAM.
- Creating database with or without public access.
- Ensure parameter group or database is configured to only allow SSL connection.
AWS Responsibility:
- No SSH access.
- No manual OS patching
- No way to audit underlying instance.

AWSCloudCloud ComputingBeginner Developersrds