AWS RDS Security

AWS RDS Security
AWS RDS Security offers multiple featuresDB instances can be hosted in a VPC to provide maximum network access control
IAM policies can be used for granting permissions to determine who can manage RDS resources
Security groups can control which IP addresses or EC2 instances are allowed to connect to a DB instance.
Secure Socket Layer connections to DB instances
RDS encryption to protect RDS instances and snapshots in transit
Oracle DB instances offer network encryption and transparent data encryption (TDE).
Authentication can also be done using Kerberos, Password, and IAM database authentication. Access Control and RDS IAM
IAM can be used for controlling which RDS operations each user has permissions to call.
RDS encrypted instances use industry-standard AES256 encryption algorithm to encrypt data stored on the server hosting the RDS instance
RDS handles authentication of access to and decryption data with minimal impact on performance and without the need for modification of client applications.
Data at Rest Encryptioncan also be enabled on RDS instances in order to encrypt the storage
KMS manages encryption keys
Only during instance creation can this be enabled
Once enabled, the encryption keys can’t be changed
If the key is lost, the DB cannot be restored except from the backup
Logs are encrypted once encryption has been enabled in an RDS instance
Snapshots can be encrypted
Automated backups are encrypted
Read replicas are encrypted
Because the key is limited to a single region, cross-region replicas or snapshots copies are not possible
Encrypted snapshots can be copied from one AWS Region to another by specifying the KMS Key Identifier of the destination AWS Region. KMS encryption keys are unique to the AWS Region in which they were created.
Encrypted snapshots may be copied to another region by providing a KMS Key valid in the destination AWS Region. It can be a KMS key that is specific to a particular Region or a multi-Region key.
RDS DB Snapshot considerationsDB snapshot encrypted with a KMS encryption key may be copied
A DB snapshot encrypted by encryption can be copied to create an encrypted copy
Copying a DB snapshot can be done with either the same KMS encryption keys as the original DB snap or a different KMS encryption to encrypt the copy.
To add encryption to an unencrypted DB snap, you can copy the unencrypted snapshot to an encrypted snapshot.
Only encrypted snapshots can be restored to encrypted DB instances
When restoring from a snapshot of a DB cluster that is not encrypted, if a KMS encryption keys is specified, the restored DB Cluster is encrypted using the specified KMS encryption keys
To copy an encrypted snapshot from another AWS account, you will need to have access to the KMS encryption keys used to encrypt it.
KMS encryption keys are unique to the region they were created in. Therefore, encrypted snapshots cannot be copied to other regions.
Transparent Data Encryption – (TDE) Automatically encrypts data before it is written on the underlying storage device, and decrypts it when it is read from that storage device
Oracle supports this feature and SQL ServerOracle needs key storage beyond the KMS. This integration is possible with CloudHSM
SQL Server requires a key, but is managed by RDSRDS encryption in transit – SSL
Secure data transit between applications and DB instance by using SSL to encrypt connections
RDS creates an SSL Certificate and installs it on the DB instance, when RDS provisions the instance.
SSL certificates are signed by a certificate authority. To guard against spoofing attacks, SSL certificates include the DB instance endpoint.
SSL encryption offers security benefits but SSL encryption is computationally intensive and can increase latency.
For encrypted and unencrypted DB instances