Skip to content

Add new file

Derya TUMUKLU requested to merge d629426-main-patch-03904 into main

AWS RDS

Synthesis

AWS RDS is a managed and maintained relational service in AWS. It makes it easy to set up, operate, and scale relational databases in the Cloud. It has many interesting features like Dashboard, Databases, Query Editor, Performance Insight, Snapshots...

Scaling, High Availability, Database Backups, Database software patching, Database software installation, OS patching, OS installation, Server maintenance, Hardware lifecycle, Power Network, and cooling are all managed by AWS, and the Customer is only responsible for the Application optimization.

IAM target authentication is AWS Managed AD, no local IAM account allowed (no control performed).

Access

  • Patterns: RDS MSSQL is addressed in infoblox to the endpoint in the VPC.
  • Authentication/Authorization: IAM and AWS SSO if possible.
  • Credentials Security: Credentials are stored in AWS Secret Manager.
  • Security Groups: Endpoint Security Group, Inbound 1433, Outbound 1433. (An RDS instance endpoint is the DNS address and port number combination used to connect to the RDS database. Port 1433 is the default port used by Microsoft SQL Server for database connections.)
  • Private Link: rds.{region}.amazonaws.com (example: rds.eu-west-1.amazonaws.com OR rds.eu-west-1.api.aws)

The following diagram illustrates how to access and use RDS.

RDS

Security Measures

  • Run your DB instance in a virtual private cloud (VPC).
  • Use AWS IAM policies to assign permission to who is allowed to manage RDS resources, with security groups, for example.
  • Carefully choose roles when creating Security Groups to not make access to db bypasable.
  • Use SSL or TLS
  • Use Amazon RDS encryption to secure your DB instances and snapshots at rest (AES-256 encryption).

In Details

  1. Password management with Amazon RDS and AWS Secrets Manager:

    • Only Amazon RDS for SQL Server is supported for the integration of Secret Manager.

  2. Identity and access management for Amazon RDS:

    • Enable API and user activity logging with AWS CloudTrail.
      • Note: Avoid putting confidential data, such as customer emails, in tags or the Name field.

  3. Encryption at Rest for S3 data lake with AWS Key Management Service (KMS), AWS Glue Data Catalog, where LakeFormation stores metadata tables describing data in the data lake.

    • To register an Amazon S3 location and control access, use LakeFormation permissions for fine-grained control.

  4. Logging and monitoring in Amazon RDS:

    • Amazon CloudWatch Alarms.
    • AWS CloudTrail Logs.
    • Enhanced Monitoring.
    • Amazon RDS Performance Insights.
    • Database Logs (watch database logs using the AWS Management Console, AWS CLI, or RDS API).
    • Amazon RDS Recommendations.
    • Amazon RDS Event Notification.
    • AWS Trusted Advisor

  5. For Infrastructure security, you should support TLS 1.2 or TLS 1.3. Requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary security credentials to sign requests.

  6. Master user account can have privileges like ADMINISTER BULK OPERATIONS, ALTER ANY CONNECTION etc. It can also have the DB_OWNER, PROCESSADMIN, SETUPADMIN, and SQLAgentUserRole database role.

  7. Using service-linked roles for Amazon RDS if you don't want to add manually permissions as RDS can assume its roles.

  8. Amazon RDS API and interface VPC endpoints (AWS PrivateLink): Example of an endpoint policy for Amazon RDS API. This policy grants access to the listed Amazon RDS API actions for all principals on all resources.

{
    "Statement":[
        {
            "Principal":"*",
            "Effect":"Allow",
            "Action":[
                "rds:CreateDBInstance",
                "rds:ModifyDBInstance",
                "rds:CreateDBSnapshot"
            ],
            "Resource":"*"
        }
    ]
}

Service Management & Considerations
Monitoring & Alerting N/A (see logging)
CI/CD Policies & roles can be redeployed using IaC tooling and code stored in GitLab.
Backup Management No backup is needed as the Lake permissions can be recreated at any instant from S3 data and a given catalog.
Logging Cloudtrail will collect access patterns to Lake Formation protected resources (tables, S3 locations).
OS Management & Patching N/A
Encryption At rest: KMS encryption for data in S3
High Availability As Lake Formation is only another layer of permissions encapsulating other AWS fully-managed services, it is high available by design.
Billing Service is free (as it is merely an overlay)

Control Tower Oversight

Topic Type Description Details Status
Internet exposure Controlled RDS instances must be private Managed Config : rds-instance-public-access-check Existing
Internet exposure Controlled RDS snapshot must be private Managed Config : rds-snapshots-public-prohibited Existing
Network configuration Controlled Do not widely open Security Group Managed Config : vpc-sg-restricted-common-ports, vpc-sg-open-only-to-authorized-ports, sg-modif-cicd Existing
Data protection Controlled RDS storages must be encrypted  with CMK for C2 data Managed Config : rds-storage-encrypted Existing
Data protection Controlled RDS snapshot must be encrypted  with CMK for C2 data Managed Config : rds-snapshot-encrypted Existing
Logging Controlled Activate Database logging Managed Config : rds-logging-enabled Existing
Hardening Controlled Activate automatic updates for minor versions Managed Config : rds-automatic-minor-version-upgrade-enabled Existing
Hardening Controlled Protect against cluster deletion Managed Config : rds-cluster-deletion-protection-enabled Existing
IAM Controlled Change default admin account of the cluster Managed Config : rds-cluster-default-admin-check Existing
IAM Controlled Change default admin account of the instances Managed Config : rds-instance-default-admin-check Existing
IAM Controlled Apply least privilege principle on RDS IAM role Managed Config : iam-policy-no-statements-with-admin-access, iam-policy-no-statements-with-full-access,  IAM Access Analyzer : iam-cross-account-permissions, CW rule : cwe-iam-cicd Existing
Logging Enforced Enable all logs : Cloudtrail API Log SCP : safran-scp-security-service-0.1 Existing
IAM Enforced Use AWS Managed AD to authenticate users CI/CD deployment and CF Landing Zone will configure the authentication infra Existing
Network configuration Best practice RDS MSSQL cluster Security group must only allow application for inbound trafic (no user desktops) N/A N/A
Data protection Best practice Use Secret Managed to store DB access secrets N/A N/A

There are few more config rules in SAFRAN for RDS: rds-cluster-iam-authentication-enabled, rds-instance-iam-authentication-enabled, rds-cluster-multi-az-enabled, rds-multi-az-support, rds_vpc_endpoint_enabled, rds_data_vpc_endpoint_enabled, rds-instance-deletion-protection-enabled, documentdb-encryption-enabled

More Infos and links

For more information, you can check this Rds Synthesis Download PowerPoint.

Merge request reports