Amazon RDS Security

Updated Jul 26, 2020 ·

NOTES

This is not an exhaustive documentation of all the existing AWS Services. These are summarized notes that I used for the AWS Certifications.

To see the complete documentation, please go to: AWS documentation

Encryption at rest

Possibility to encrypt the master and read replicas with AWS KMS - AES-256 encryption.
Encryption has to be defined at the launch time.
If the master is not encrypted, the read replicas cannot be encrypted.
Transparent Data Encryption (TDE) is available for Oracle and SQL Server.

Uses SSL certificates to encrypt data from client to RDS in flight. When using SSL, a trust certificate is used when connecting to the database.

To enforce SSL:

PostgeSQL:

rds.force_ssl=1 in the AWS RDS Console (Parameter Groups)

MySQL:

GRANT USAGE ON *.* To 'user'@'%' REQUIRE SSL;

Create a snapshot.
Copy the snapshot and enable encryption for the snapshot.
Restore the database from the encrypted snapshot.
Migrate application from the old database to the new one and delete the old database.

RDS databases are usually deployed within a private subnet.
RDS security works by leveraging security groups (similar to EC2), they control who can communicate with the database instance.

There are IAM policies which help control who can manage an AWS RDS database (through the RDS API).
Traditional username/password can be used to login into the database.
IAM-based authentication can be used to login into MySQL and PostgreSQL.

IAM database authentication works with MySQL and PostgreSQL.
We don't need a password to authenticate, just an authentication token obtained through IAM and RDS API calls.
The token has a lifetime of 15 minutes.
Benefits:
- Network in/out must be encrypted using SSL.
- IAM is used to centrally manage users instead of DB credentials.
- We can manage IAM roles and EC2 instance profiles for easy integration.