DEV Community

Cover image for Learning AWS Day by Day — Day 39 — Amazon RDS — Part 2
Saloni Singh
Saloni Singh

Posted on

Learning AWS Day by Day — Day 39 — Amazon RDS — Part 2

Exploring AWS !!

Day 39:

Amazon RDS — Part 2

Previously we’ve learnt about backups, read replicas and disaster recovery strategies of RDS. Today we will dive deeper into some other concepts of RDS.

RDS Security — Encryption:
Encryption at Rest-

  • Possibility to encrypt master and read replicas with AWS KMS-AES-256 encryption.
  • Encryption has to be defined at launch time.
  • If Master is not encrypted, Read Replicas cannot be encrypted.
  • Transport Data Encryption (TDE) available for Oracle and SQL server. In Flight Encryption-
  • SSL certificate to encrypt data to RDS in flight.
  • Provide SSL options with Trust Certificates when connecting to database. To enforce SSL-
  • PostgreSQL: rds:force_ssl=1 in the AWS RDS Console (Parameter Groups)
  • MySQL: within Database: GRANT USAGE ON . TO ‘mysqluser’@’%’ REQUIRE SSL;

RDS Encryption Operation:
Encrypting RDS Backups:

  • Snapshots of unencrypted RDS databases are unencrypted.
  • Snapshots of encrypted RDS databases are encrypted.
  • Can copy a snapshot into an encrypted one. To encrypt an unencrypted RDS database:
  • Create a snapshot of unencrypted snapshot.
  • Copy snapshot and enable encryption for snap.
  • Restore database from encrypted snapshot.
  • Migrate applications to new database and delete old database.

RDS Security — Network and IAM
Network security:

  • RDS database are usually deployed in private subnets, not in public.
  • RDS security works by leveraging security groups (same concept as for EC2 instance) — it controls which security group/IP can communicate with RDS. Access Management:
  • IAM policies helps control who can manage RDS (through RDS API)
  • Traditional username and password can be used to login to database.
  • IAM based authentication can be used to login into RDS MySQL and PostgreSQL.

RDS IAM Authentication:

  • IAM database authentication works with MySQL and PostgreSQL.
  • You don’t need password, just need an authentication token through IAM and RDS API calls.
  • Authentication token has a lifetime of 15 mins.


  • Network in/out must be encrypted by using SSL.
  • IAM to centrally manage user instead of database.
  • Can leverage IAM roles and EC2 instance profiles for easy integration.

Image description

RDS Security Summary:
Encryption at Rest:

  • is done only when you first create a database instance.
  • or: unencrypted database -> snapshot -> copy snapshot as encrypted -> create database from snapshot. Your Responsibility:
  • Check ports/IP/SG inbound rules in database’s security groups.
  • In-database user creation and permission or manage through IAM.
  • Creating database with or without public access.
  • Ensure parameter group or database is configured to only allow SSL connection. AWS Responsibility:
  • No SSH access.
  • No manual OS patching
  • No way to audit underlying instance.

Top comments (1)

emmabase profile image
Emmanuel Eneche

Great insights, Thank you for sharing.