- Manage access to RDS resources and databases
- method to manage access depends on type of task
the user needs to perform with Amazon RDS, as
- Run DB instance in VPC based on Amazon VPC service for the greatest network access control.
- Use
AWS IAM policies to conduct on DB instances, tag resources, or modify security
groups –
- Create
- Describe
- Modify
- delete
- Use security groups to control IP addresses or EC2 instances database connection
- Use Secure Socket Layer (SSL) connections with DB instances running the MySQL, MariaDB, PostgreSQL, Oracle, or Microsoft SQL Server database engines.
- Use Amazon RDS encryption to secure DB instances and snapshots at rest.
- Use network encryption and transparent data encryption with Oracle DB instances
- Use the security features of DB engine to control who can log in to the databases on a DB instance.
Secure data by
- Use multi-factor authentication (MFA) with each account.
- Use SSL/TLS to communicate with AWS resources.
- Set up API and user activity logging with AWS CloudTrail.
- Use AWS encryption solutions, along with all default security controls within AWS services.
- Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.
DB instance classes that do not support Amazon RDS encryption:
- General Purpose (M1)
- db.m1.small
- db.m1.medium
- db.m1.large
- db.m1.xlarge
- Memory Optimized (M2)
- db.m2.xlarge
- db.m2.2xlarge
- db.m2.4xlarge
- Burst Capable (T2)
- db.t2.micro
Encrypted RDS DB Instance Limitations
- only enable encryption when creating it, not after the DB instance is created.
- As encrypt copy of an unencrypted DB snapshot, add encryption to an unencrypted DB instance.
- encrypted DB instances can’t be changed to disable encryption.
- can’t have encrypted Read Replica of an unencrypted DB instance or an unencrypted Read Replica of an encrypted DB instance.
- Encrypted Read Replicas must be encrypted with the same key as the source DB instance.
- can’t restore unencrypted backup or snapshot to an encrypted DB instance.
- The source snapshot remains encrypted throughout the copy process.
- AWS Key Management Service uses envelope encryption to protect data during the copy process.
Key Management
- It manages keys used for Amazon RDS encrypted DB instances
- For full control over a key, create a customer-managed key.
- can’t delete, revoke, or rotate default keys provisioned by AWS KMS
- use SSL from application to encrypt a connection
to a DB instance running
- MySQL
- MariaDB
- SQL Server
- Oracle
- PostgreSQL
- Each DB engine has its own process for implementing SSL.
IAM
- AWS service to securely control access to AWS resources
- control on Amazon RDS resources, and who can be
- authenticated (signed in)
- authorized (have permissions)
- no additional charge for usage
Identity-Based Policies
- specify allowed or denied actions and resources
- specify conditions under which actions are allowed or denied
- RDS supports specific actions, resources, and condition keys.
Amazon RDS Resource-Based Policies
- RDS does not support resource-based policies.
Authorization Based on Amazon RDS Tags
- attach tags to RDS resources
- pass tags in a request to RDS
Policy Best Practices
- Identity-based policies determine whether someone can create, access, or delete Amazon RDS resources in account.
- use AWS managed policies to give users permissions they need.
- policies are already available in account
- policies are maintained and updated by AWS.
- Grant Least Privilege
- Enable MFA for Sensitive Operations
- Use Policy Conditions for Extra Security
AWS Certified DevOps Engineer Free Practice TestTake a Quiz