Skip to content

Add new file

Derya TUMUKLU requested to merge d629426-main-patch-64118 into main

AWS RDS

Synthesis

AWS RDS is a managed and maintained relational service in AWS. It makes it easy to set up, operate, and scale relational databases in the Cloud. It has many interesting features like Dashboard, Databases, Query Editor, Performance Insight, Snapshots...

Scaling, High Availability, Database Backups, Database software patching, Database software installation, OS patching, OS installation, Server maintenance, Hardware lifecycle, Power Network, and cooling are all managed by AWS, and the Customer is only responsible for the Application optimization.

Requirements:

  • RDS-Compatible Database engines: Db2 (or Custom), Microsoft SQL Server, MySQL, PostgreSQL, Oracle, MariaDB. In Safran, the engines used with RDS are MSSQL (Microsoft SQL Server) and PostgreSQL.
  • VPC, subnet, and security group
  • High availability
  • IAM Policies
  • Open Ports (ex: 3309)
  • AWS Region (Safran's ones are available)
  • DB disk subsystem

Access

  • Patterns: RDS MSSQL is addressed in infoblox to the endpoint in the VPC​.
  • Authentication/Authorization: IAM and AWS SSO if possible.
  • Credentials Security: Credentials are stored in AWS Secret Manager​.
  • Roles: SSO roles admin, devs, and ops​.
  • Security Groups: Endpoint Security Group, Inbound 1433, Outbound 1433. (An RDS instance endpoint is the DNS address and port number combination used to connect to the RDS database. Port 1433 is the default port used by Microsoft SQL Server for database connections.)
  • Private Link: rds.{region}.amazonaws.com (example: rds.eu-west-1.amazonaws.com OR rds.eu-west-1.api.aws)

The following diagram illustrates how to access and use RDS.

RDS

Security Measures

  • Run your DB instance in a virtual private cloud (VPC).
  • Use AWS IAM policies to assign permission to who is allowed to manage RDS resources, with security groups, for example.
  • Use Security Groups to control which IP addresses or Amazon EC2 instances can connect to your databases on the DB instance. The access to the database is automatically blocked by the firewall when you create the DB instance, but it can be bypassed by certain roles given to security groups.
  • Use SSL or TLS connections with DB instances running Db2, MySQL, MariaDB, PostgreSQL, Oracle, or Microsoft SQL server database engines.
  • Use Amazon RDS encryption to secure your DB instances and snapshots at rest (AES-256 encryption).
  • Use network encryption and transparent data encryption with Oracle DB instances.
  • Use security features of your DB engine to control who can log in the databases on a DB instance.

AWS also manages the security of backups, replicas, and other processes.

Topics in security:

Security relies on Cluster & Instance configuration. The most important risk is data leak from a public instance or snapshot. IAM target authentication is AWS Managed AD, no local IAM account allowed (no control performed). Security in AWS RDS is crucial for ensuring the confidentiality, integrity, and availability of your data. Key security measures include:

  1. Database authentication with Amazon RDS:

    • Users can only choose one authentication method between Password, Kerberos, and IAM database authentication. For PostgreSQL, don't assign both the rds_iam and rds_ad roles to a user of a PostgreSQL database either directly or indirectly by nested grant access.

  2. Password management with Amazon RDS and AWS Secrets Manager:

    • Only Amazon RDS for SQL Server is supported for the integration of Secret Manager.

  3. Identity and access management for Amazon RDS:

    • IAM database authentication works with the following DB engines: MariaDB, MySQL, PostgreSQL.
    • Utilize SSL/TLS for communication with AWS resources, with a preference for TLS 1.3.
    • Enable API and user activity logging with AWS CloudTrail.
      • Note: Avoid putting confidential data, such as customer emails, in tags or the Name field.

  4. Encryption at Rest:

    • Support data encryption in the following areas:
      • Data in S3 data lake with AWS Key Management Service (KMS).
      • AWS Glue Data Catalog, where LakeFormation stores metadata tables describing data in the data lake.
      • To register an Amazon S3 location and control access, use LakeFormation permissions for fine-grained control.

  5. Logging and monitoring in Amazon RDS:

    • Amazon CloudWatch Alarms.
    • AWS CloudTrail Logs.
    • Enhanced Monitoring.
    • Amazon RDS Performance Insights.
    • Database Logs (watch database logs using the AWS Management Console, AWS CLI, or RDS API).
    • Amazon RDS Recommendations.
    • Amazon RDS Event Notification.
    • AWS Trusted Advisor (Trusted Advisor has the following Amazon RDS-related checks: Amazon RDS Idle DB Instances, Amazon RDS Security Group Access Risk, Amazon RDS Backups, Amazon RDS Multi-AZ).

  6. Resilience in Amazon RDS:

    • Backup and restore.
    • Replication.
    • Failover (Multi-AZ deployments for Oracle, PostgreSQL, MySQL, and MariaDB DB instances use Amazon's failover technology. SQL Server DB instances use SQL Server Database Mirroring (DBM)).

  7. Infrastructure security in Amazon RDS:

    • You use AWS published API calls to access Amazon RDS through the network. Clients must support the following:
      • Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
      • Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
      • Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary security credentials to sign requests.

  8. Controlling access with security groups:

    • Each VPC security group rule makes it possible for a specific source to access a DB instance in a VPC that is associated with that VPC security group. The source can be a range of addresses (for example, 203.0.113.0/24).
    • You can then create another VPC security group that allows access to TCP port 3306 for RDS for MySQL DB instances in your VPC.
    • If you want to turn on Secure Shell (SSH) access for instances in the VPC, create a rule allowing access to TCP port 22 for the specified range of addresses.

    More details: Amazon RDS Security Groups

  9. Master user account privileges:

    • System Privilege for PostgreSQL: CREATE ROLE, CREATE DB, PASSWORD VALID UNTIL INFINITY, CREATE EXTENSION, ALTER EXTENSION, DROP EXTENSION, CREATE TABLESPACE, ALTER OWNER, CHECKPOINT, PG_CANCEL_BACKEND(), PG_TERMINATE_BACKEND(), SELECT PG_STAT_REPLICATION, EXECUTE PG_STAT_STATEMENTS_RESET(), OWN POSTGRES_FDW_HANDLER(), OWN POSTGRES_FDW_VALIDATOR(), OWN POSTGRES_FDW, EXECUTE PG_BUFFERCACHE_PAGES(), SELECT PG_BUFFERCACHE.
      • Database role: RDS_SUPERUSER.
    • System Privilege Microsoft SQL Server: ADMINISTER BULK OPERATIONS, ALTER ANY CONNECTION, ALTER ANY CREDENTIAL, ALTER ANY EVENT SESSION, ALTER ANY LINKED SERVER, ALTER ANY LOGIN, ALTER ANY SERVER AUDIT, ALTER ANY SERVER ROLE, ALTER SERVER STATE, ALTER TRACE, CONNECT SQL, CREATE ANY DATABASE, VIEW ANY DATABASE, VIEW ANY DEFINITION, VIEW SERVER STATE, ALTER ON ROLE SQLAgentOperatorRole.
      • Database role: DB_OWNER, PROCESSADMIN, SETUPADMIN, and SQLAgentUserRole.

  10. Using service-linked roles for Amazon RDS:

    • A service-linked role makes using Amazon RDS easier because you don't have to manually add the necessary permissions. Amazon RDS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon RDS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

  11. Amazon RDS API and interface VPC endpoints (AWS PrivateLink): Example of an endpoint policy for Amazon RDS API. This policy grants access to the listed Amazon RDS API actions for all principals on all resources.

{
    "Statement":[
        {
            "Principal":"*",
            "Effect":"Allow",
            "Action":[
                "rds:CreateDBInstance",
                "rds:ModifyDBInstance",
                "rds:CreateDBSnapshot"
            ],
            "Resource":"*"
        }
    ]
}

Amazon VPC VPCs and Amazon RDS:

Data protection in Amazon RDS:

Compliance validation for Amazon RDS:

Security best practices for Amazon RDS:

Service Management & Considerations
Monitoring & Alerting N/A (see logging)
CI/CD Policies & roles can be redeployed using IaC tooling and code stored in GitLab.
Backup Management No backup is needed as the Lake permissions can be recreated at any instant from S3 data and a given catalog.
Logging Cloudtrail will collect access patterns to Lake Formation protected resources (tables, S3 locations).
OS Management & Patching N/A
Encryption At rest: KMS encryption for data in S3
High Availability As Lake Formation is only another layer of permissions encapsulating other AWS fully-managed services, it is high available by design.
Billing Service is free (as it is merely an overlay)

Control Tower Oversight

Topic Type Description Details Status
Internet exposure Controlled RDS instances must be private Managed Config : rds-instance-public-access-check Existing
Internet exposure Controlled RDS snapshot must be private Managed Config : rds-snapshots-public-prohibited Existing
Network configuration Controlled Do not widely open Security Group Managed Config : vpc-sg-restricted-common-ports, vpc-sg-open-only-to-authorized-ports, sg-modif-cicd Existing
Data protection Controlled RDS storages must be encrypted  with CMK for C2 data Managed Config : rds-storage-encrypted Existing
Data protection Controlled RDS snapshot must be encrypted  with CMK for C2 data Managed Config : rds-snapshot-encrypted Existing
Logging Controlled Activate Database logging Managed Config : rds-logging-enabled Existing
Hardening Controlled Activate automatic updates for minor versions Managed Config : rds-automatic-minor-version-upgrade-enabled Existing
Hardening Controlled Protect against cluster deletion Managed Config : rds-cluster-deletion-protection-enabled Existing
IAM Controlled Change default admin account of the cluster Managed Config : rds-cluster-default-admin-check Existing
IAM Controlled Change default admin account of the instances Managed Config : rds-instance-default-admin-check Existing
IAM Controlled Apply least privilege principle on RDS IAM role Managed Config : iam-policy-no-statements-with-admin-access, iam-policy-no-statements-with-full-access,  IAM Access Analyzer : iam-cross-account-permissions, CW rule : cwe-iam-cicd Existing
Logging Enforced Enable all logs : Cloudtrail API Log SCP : safran-scp-security-service-0.1 Existing
IAM Enforced Use AWS Managed AD to authenticate users CI/CD deployment and CF Landing Zone will configure the authentication infra Existing
Network configuration Best practice RDS MSSQL cluster Security group must only allow application for inbound trafic (no user desktops) N/A N/A
Data protection Best practice Use Secret Managed to store DB access secrets N/A N/A

RDS Managed config rules

More Infos and links

For more information, you can check this Rds Synthesis Download PowerPoint.

Merge request reports