Exploring AWS !!
Day 39:
Amazon RDS — Part 2
Previously we’ve learnt about backups, read replicas and disaster recovery strategies of RDS. Today we will dive deeper into some other concepts of RDS.
RDS Security — Encryption:
Encryption at Rest-
- Possibility to encrypt master and read replicas with AWS KMS-AES-256 encryption.
- Encryption has to be defined at launch time.
- If Master is not encrypted, Read Replicas cannot be encrypted.
- Transport Data Encryption (TDE) available for Oracle and SQL server. In Flight Encryption-
- SSL certificate to encrypt data to RDS in flight.
- Provide SSL options with Trust Certificates when connecting to database. To enforce SSL-
- PostgreSQL: rds:force_ssl=1 in the AWS RDS Console (Parameter Groups)
- MySQL: within Database: GRANT USAGE ON . TO ‘mysqluser’@’%’ REQUIRE SSL;
RDS Encryption Operation:
Encrypting RDS Backups:
- Snapshots of unencrypted RDS databases are unencrypted.
- Snapshots of encrypted RDS databases are encrypted.
- Can copy a snapshot into an encrypted one. To encrypt an unencrypted RDS database:
- Create a snapshot of unencrypted snapshot.
- Copy snapshot and enable encryption for snap.
- Restore database from encrypted snapshot.
- Migrate applications to new database and delete old database.
RDS Security — Network and IAM
Network security:
- RDS database are usually deployed in private subnets, not in public.
- RDS security works by leveraging security groups (same concept as for EC2 instance) — it controls which security group/IP can communicate with RDS. Access Management:
- IAM policies helps control who can manage RDS (through RDS API)
- Traditional username and password can be used to login to database.
- IAM based authentication can be used to login into RDS MySQL and PostgreSQL.
RDS IAM Authentication:
- IAM database authentication works with MySQL and PostgreSQL.
- You don’t need password, just need an authentication token through IAM and RDS API calls.
- Authentication token has a lifetime of 15 mins.
Benefits:
- Network in/out must be encrypted by using SSL.
- IAM to centrally manage user instead of database.
- Can leverage IAM roles and EC2 instance profiles for easy integration.
RDS Security Summary:
Encryption at Rest:
- is done only when you first create a database instance.
- or: unencrypted database -> snapshot -> copy snapshot as encrypted -> create database from snapshot. Your Responsibility:
- Check ports/IP/SG inbound rules in database’s security groups.
- In-database user creation and permission or manage through IAM.
- Creating database with or without public access.
- Ensure parameter group or database is configured to only allow SSL connection. AWS Responsibility:
- No SSH access.
- No manual OS patching
- No way to audit underlying instance.