DEV Community

Cover image for RDS Encryption and Security
Vijay Patel
Vijay Patel

Posted on

RDS Encryption and Security

What is Amazon RDS?

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud.
It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups.
It frees you to focus on your applications so you can give them the fast performance, high availability, security, and compatibility they need.

AWS RDS Security

AWS provides multiple features to provide RDS security
DB instance can be hosted in a VPC for the greatest possible network access control
IAM policies can be used to assign permissions that determine who is allowed to manage RDS resources
Security groups allow controlling what IP addresses or EC2 instances can connect to the databases on a DB instance
Secure Socket Layer (SSL) connections with DB instances
RDS encryption to secure RDS instances and snapshots at rest.
Network encryption and transparent data encryption (TDE) with Oracle DB instances

Here is the full tutorial video based on RDS Encryption and Security👇👇
Image description

RDS Authentication and Access Control

IAM can be used to control which RDS operations each individual user has permission to call

SSL to Encrypt a Connection to a DB Instance

  • Encrypt connections using SSL for data in transit between the applications and the DB instance
  • Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when RDS provisions the instance.
  • SSL certificates are signed by a certificate authority. SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks
  • While SSL offers security benefits, be aware that SSL encryption is a compute-intensive operation and will increase the latency of the database connection.

IAM Database Authentication

  • IAM database authentication works with MySQL and PostgreSQL.
  • IAM database authentication prevents the need to store static user credentials in the database because authentication is managed externally using IAM.
  • IAM database authentication does not require a password but needs an authentication token
  • An authentication token is a unique string of characters that RDS generates on request.
  • Authentication tokens are generated using AWS Signature Version 4.
  • Each Authentication token has a lifetime of 15 minutes
  • IAM database authentication provides the following benefits:
    • Network traffic to and from the database is encrypted using Secure Sockets Layer (SSL).
    • helps centrally manage access to the database resources, instead of managing access individually on each DB instance.
    • enables using IAM Roles to access the database instead of a password, for greater security.

▬▬▬▬▬▬ WANT TO LEARN MORE? ▬▬▬▬▬▬
Full Terraform tutorial ►
DevOps Tools, like Ansible ►
Docker Tutorial ►
AWS Tutorial ►
GCP Tutorial ►
Jenkins Tutorials ► []

Discussion (0)