AWS RDS Security
- AWS RDS Security provides multiple features
- DB instance can be hosted in a VPC for the greatest possible network access control.
- IAM policies can be used to assign permissions that determine who is allowed to manage RDS resources.
- Security groups allow control of what IP addresses or EC2 instances can connect to the databases on a DB instance.
- RDS supports encryption in transit using SSL connections
- RDS supports encryption at rest to secure instances and snapshots at rest.
- Network encryption and transparent data encryption (TDE) with Oracle DB instances
- Authentication can be implemented using Password, Kerberos, and IAM database authentication.
RDS IAM and Access Control
- IAM can be used to control which RDS operations each individual user has permission to call.
RDS Encryption at Rest
- RDS encrypted instances use the industry-standard AES-256 encryption algorithm to encrypt data on the server that hosts the RDS instance.
- RDS handles authentication of access and decryption of the data with a minimal impact on performance, and with no need to modify the database client applications
- Data at Rest Encryption
- can be enabled on RDS instances to encrypt the underlying storage
- encryption keys are managed by KMS
- can be enabled only during instance creation
- once enabled, the encryption keys cannot be changed
- if the key is lost, the DB can only be restored from the backup
- Once encryption is enabled for an RDS instance,
- logs are encrypted
- snapshots are encrypted
- automated backups are encrypted
- read replicas are encrypted
Cross-region replicas and snapshots copy does not work since the key is only available in a single region
Encrypted snapshots from one AWS Region can’t be copied to another, by specifying the KMS key identifier of the destination AWS Region as KMS encryption keys are specific to the AWS Region that they are created.
- Encrypted snapshots can be copied to another region by specifying a KMS key valid in the destination AWS Region. It can be a Region-specific KMS key, or a multi-Region key.
- RDS DB Snapshot considerations
- DB snapshot encrypted using a KMS encryption key can be copied
- Copying an encrypted DB snapshot results in an encrypted copy of the DB snapshot
- When copying, the DB snapshot can either be encrypted with the same KMS encryption key as the original DB snapshot, or a different KMS encryption key to encrypt the copy of the DB snapshot.
- An unencrypted DB snapshot can be copied to an encrypted snapshot, to add encryption to a previously unencrypted DB instance.
- Encrypted snapshot can be restored only to an encrypted DB instance
- If a KMS encryption key is specified when restoring from an unencrypted DB cluster snapshot, the restored DB cluster is encrypted using the specified KMS encryption key
- Copying an encrypted snapshot shared from another AWS account requires access to the KMS encryption key used to encrypt the DB snapshot.
Because KMS encryption keys are specific to the region that they are created in, an encrypted snapshot cannot be copied to another region
- Transparent Data Encryption (TDE)
- Automatically encrypts the data before it is written to the underlying storage device and decrypts when it is read from the storage device
- is supported by Oracle and SQL Server
- Oracle requires key storage outside of the KMS and integrates with CloudHSM for this
- SQL Server requires a key but is managed by RDS
RDS Encryption in Transit – SSL
- Encrypt connections using SSL for data in transit between the applications and the DB instance
- RDS creates an SSL certificate and installs the certificate on the DB instance when RDS provisions the instance.
- SSL certificates are signed by a certificate authority. SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks
- While SSL offers security benefits, be aware that SSL encryption is a compute-intensive operation and will increase the latency of the database connection.
- For encrypted and unencrypted DB instances, data that is in transit between the source and the read replicas is encrypted, even when replicating across AWS Regions.
IAM Database Authentication
- IAM database authentication works with MySQL and PostgreSQL.
- IAM database authentication prevents the need to store static user credentials in the database because authentication is managed externally using IAM.
- Authorization still happens within RDS (not IAM).
- IAM database authentication does not require a password but needs an authentication token
- An authentication token is a unique string of characters that RDS generates on request.
- Authentication tokens are generated using AWS Signature Version 4.
- Each Authentication token has a lifetime of 15 minutes
- IAM database authentication provides the following benefits:
- Network traffic to and from the database is encrypted using the Secure Sockets Layer (SSL).
- helps centrally manage access to the database resources, instead of managing access individually on each DB instance.
- enables using IAM Roles to access the database instead of a password, for greater security.
RDS Security Groups
- Security groups control the access that traffic has in and out of a DB instance
- VPC security groups act like a firewall controlling network access to your DB instance.
- VPC security groups can be configured and associated with the DB instance to allow access from an IP address range, port, or EC2 security group
- Database security groups default to a “deny all” access mode and customers must specifically authorize network ingress.
RDS Rotating Secrets
- RDS supports AWS Secrets Manager to automatically rotate the secret
- Secrets Manager uses a Lambda function Secrets Manager provides.
- Secrets Manager provides the following benefits
- Rotate secrets safely – rotate secrets automatically without disrupting the applications.
- Secrets Manager offers built-in integrations for rotating credentials for RDS databases for MySQL, PostgreSQL, and Aurora.
- Secrets Manager can be extended to meet custom rotation requirements by creating a Lambda function to rotate other types of secrets
- Manage secrets centrally – to store, view, and manage all the secrets.
- Security – By default, Secrets Manager encrypts these secrets with encryption keys that you own and control. Using fine-grained IAM policies, access to secrets can be controlled
- Monitor and audit easily – Secrets Manager integrates with AWS logging and monitoring services to enable meet your security and compliance requirements.
- Pay as you go – Pay for the secrets stored and for the use of these secrets; there are no long-term contracts or licensing fees.
Master User Account Privileges
- When you create a new DB instance, the default master user that is used gets certain privileges for that DB instance
- Subsequently, other users with permissions can be created.
Event Notification
- Event notifications can be configured for important events that occur on the DB instance
- Notifications of a variety of important events that can occur on the RDS instance, such as whether the instance was shut down, a backup was started, a failover occurred, the security group was changed, or your storage space is low can be received
RDS Encrypted DB Instances Limitations
- RDS Encryption can be enabled only during the creation of an RDS DB instance, not after the DB instance is created.
- DB instances that are encrypted can’t be modified to disable encryption.
- Encrypted snapshot of an unencrypted DB instance cannot be created.
- An unencrypted backup or snapshot can’t be restored to an encrypted DB instance.
- An unencrypted DB instance or an unencrypted read replica of an encrypted DB instance can’t have an encrypted read replica.
- DB snapshot of an encrypted DB instance must be encrypted using the same KMS key as the DB instance.
- Encrypted read replicas must be encrypted with the same CMK as the source DB instance when both are in the same AWS Region.
- For encrypting an unencrypted RDS database, the following approaches can be used.
- Using Snapshots, however, this option is feasible if you can afford downtime.
- Create a DB snapshot of the DB instance, which would be unencrypted.
- Copy the unencrypted DB snapshot to an encrypted snapshot.
- Restore a DB instance from the encrypted snapshot, which would be an encrypted DB instance.
- For minimal to no downtime you can use AWS Database Migration Service (AWS DMS) to migrate and continuously replicate the data so that the cutover to the new, encrypted database.
RDS API with Interface Endpoints (AWS PrivateLink)
- AWS PrivateLink enables you to privately access RDS API operations without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
- DB instances in the VPC don’t need public IP addresses to communicate with RDS API endpoints to launch, modify, or terminate DB instances.
- DB instances also don’t need public IP addresses to use any of the available RDS API operations.
- Traffic between the VPC and RDS doesn’t leave the Amazon network.
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- Can I encrypt connections between my application and my DB Instance using SSL?
- No
- Yes
- Only in VPC
- Only in certain regions
- Which of these configuration or deployment practices is a security risk for RDS?
- Storing SQL function code in plaintext
- Non-Multi-AZ RDS instance
- Having RDS and EC2 instances exist in the same subnet
- RDS in a public subnet (Making RDS accessible to the public internet in a public subnet poses a security risk, by making your database directly addressable and spammable. DB instances deployed within a VPC can be configured to be accessible from the Internet or from EC2 instances outside the VPC. If a VPC security group specifies a port access such as TCP port 22, you would not be able to access the DB instance because the firewall for the DB instance provides access only via the IP addresses specified by the DB security groups the instance is a member of and the port defined when the DB instance was created. Refer link)
References
AWS_RDS_User_Guide – Security