What is Amazon RDS?
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security, and compatibility they need.
AWS RDS Security
- AWS provides multiple features to provide RDS security
- DB instance can be hosted in a VPC for the greatest possible network access control
- IAM policies can be used to assign permissions that determine who is allowed to manage RDS resources
- Security groups allow controlling what IP addresses or EC2 instances can connect to the databases on a DB instance
- Secure Socket Layer (SSL) connections with DB instances
- RDS encryption to secure RDS instances and snapshots at rest.
- Network encryption and transparent data encryption (TDE) with Oracle DB instances
- AWS provides multiple features to provide RDS security
- DB instance can be hosted in a VPC for the greatest possible network access control
- IAM policies can be used to assign permissions that determine who is allowed to manage RDS resources
- Security groups allow controlling what IP addresses or EC2 instances can connect to the databases on a DB instance
- Secure Socket Layer (SSL) connections with DB instances
- RDS encryption to secure RDS instances and snapshots at rest.
- Network encryption and transparent data encryption (TDE) with Oracle DB instances
Here is a full tutorial video based on RDS Encryption and Security👇👇
RDS Authentication and Access Control
- IAM can be used to control which RDS operations each individual user has permission to call
SSL to Encrypt a Connection to a DB Instance
- Encrypt connections using SSL for data in transit between the applications and the DB instance
- Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when RDS provisions the instance.
- SSL certificates are signed by a certificate authority. SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks
- While SSL offers security benefits, be aware that SSL encryption is a compute-intensive operation and will increase the latency of the database connection.
IAM Database Authentication
- IAM database authentication works with MySQL and PostgreSQL.
- IAM database authentication prevents the need to store static user credentials in the database because authentication is managed externally using IAM.
- IAM database authentication does not require password but needs an authentication token
- An authentication token is a unique string of characters that RDS generates on request.
- Authentication tokens are generated using AWS Signature Version 4.
- Each Authentication token has a lifetime of 15 minutes
- IAM database authentication provides the following benefits:
- Network traffic to and from the database is encrypted using Secure Sockets Layer (SSL).
- helps centrally manage access to the database resources, instead of managing access individually on each DB instance.
- enables using IAM Roles to access the database instead of a password, for greater security.
