Grafvision - Fotolia

AWS security restriction for keys hamstrings RDS backup

Cross-region replication is now available for all RDS engines, but an AWS security construct in KMS means the service still has backup limitations for some users.

Amazon has addressed a gap in the replication capabilities with RDS, but it still might not be enough for some IT shops.

Amazon Aurora, a MySQL-compatible relational database, became generally available a year ago, but lacked two key AWS security features available with the other database engines in Amazon Relational Database Service (RDS): integration with Key Management Service (KMS) and automated cross-region read replicas. Those two shortfalls have since been addressed, with the former added in January and the latter added in June -- but using the two together can create a roadblock to using the native AWS tooling.

ISCS Inc., a software-as-a-service (SaaS) provider for the property and casual insurance industry based in San Jose, Calif., relies heavily on AWS and was a beta customer of Aurora. Cross-region replication was one of the last pieces the company wanted to see included in the service, but it still can't use the feature to bring keys across regions to encrypt data in transit and at rest.

"Our requirements are highly regulated and have the most in terms of security and scalability needs, so that was a deal breaker, but hopefully that changes," said Doug Moore, CTO of ISCS.

This limitation isn't confined to Aurora or even RDS -- KMS is explicitly designed so keys are only stored in the region in which they are created. Keys cannot be transferred to another region for the more than a dozen services tied to the AWS security software.

Amazon is known to push new services and add features as the market expands and the product matures, so it's possible it could add this capability in the future. Amazon declined to comment, but a December 2014 response to a user question about cross-region key replication indicated the company had no plans to add the feature and believes its current design is the best means to properly secure workloads.

"KMS is built with redundant systems to provide high availability and durability of your keys within a region," the response read, in part. "In order to improve the availability of your data, you can choose to encrypt copies of your data in multiple regions."

Even though Amazon listens to its customers when building features and services, it's also willing to go a different direction, even if it's a pain for its users who may have to reconfigure their application, said Adrian Sanabria, senior security analyst at 451 Research.

"They have no problem saying, 'This is the way you need to do it; we've implemented it this way; we think this is good enough and this is just the way it's going to work -- take it or leave it,'" Sanabria said.

AWS security a constant work in progress

This is a constant theme with AWS products, which can be somewhat hobbled until their drawbacks are resolved, said Erik Peterson, director of technology strategy at Veracode, a Burlington, Mass., company that runs a cloud-based web application risk assessment service on AWS. But the early versions of these services do at least provide something for users to experiment with and build on top of as the product matures, he added.

It's frustrating because there are people trying to build very real solutions with multiregion replication, where fault tolerance is critical and encrypting customer data is critical.
Erik Petersondirector of technology strategy, Veracode

This limitation has many larger players with high uptime requirements shying away from RDS so far, and they are instead building their own systems with MySQL, Cassandra or Spark clusters, Peterson said.

"It's frustrating because there are people trying to build very real solutions, with multiregion replication where fault tolerance is critical and encrypting customer data is critical," Peterson said. "They need both of those things to go hand in hand to be a full solution, but what's the alternative?"

Of course, there are ways around the problem, though it can mean more complications, more moving parts and more code. Third-party vendors such as KeyNexus deliver key storage and management for AWS security. Customers also could use Amazon CloudHSM as a dedicated hardware device for Virtual Private Cloud, though it lacks some of the API functionality and features of KMS and can be considerably more expensive.

ISCS has considered native database migration tools and third-party tools to work around the problem, and it set up dozens of accounts as a means to partition workloads. And while it would be preferable if all this was included in the service, Aurora still provides better performance and redundancy than anything the SaaS provider could build itself, Moore said.

"Its default configuration is across three data centers, three read replicas," Moore said. "That's not something we would go to the extent to build ourselves because it's cost-prohibitive, but with Aurora, it comes out of the box."

Trevor Jones is a news writer with TechTarget's data center and virtualization media group. Contact him at [email protected]

Next Steps

Put data on lockdown with AWS KMS

Take a careful approach to AWS encryption

Manage access to AWS resources

Dig Deeper on AWS security