AWS offers several features to secure its Relational Database Service. But as with many other Amazon Web Services...
offerings, RDS falls under the "shared responsibility" model for security. In this instance, AWS manages the underlying infrastructure -- RDS, guest OSes, AWS infrastructure and AWS foundation services -- but IT teams are still responsible for securing the database.
There are four areas admins must consider to maintain the security, privacy and integrity of data within AWS RDS.
1. Access control
Administrators want to ensure that only authorized users have access to a company database and specified pieces of data. AWS Elastic Compute Cloud (EC2) security groups enable cloud admins to restrict connections to an authorized range of IP addresses. Through your AWS account, define security groups and additional specific IP addresses that are allowed to access the database. This protects data at the network level. But what happens if an unauthorized user gains access to a computer that is within one of your allowed IP ranges?
In addition, authorized users can inadvertently delete data. In these cases, AWS Identity and Access Management (IAM) can define users and groups with customized access policies. This provides more granular control over your Relational Database Service operations and resources. IAM's multi-factor authentication support takes this one step further and ensures secured authorization.
After securing the network to a limited set of IP addresses and ensuring that only authorized users can access your RDS, you can fine-tune the set of tables and objects users can access as well as the operations they can perform. An RDS account is initially created with a single master user and password. Typically, a database administrator is the master user, but you can create more master users and define their access privileges within the database. You can also enforce connections from inside the database by making them SSL connections.
You need a firewall to isolate your database from unauthorized connections and to monitor and audit activity within it. However, you don't have direct access to your database or the hardware on which it's installed.
That's the nature of cloud services. Amazon Relational Database Service lets you install third-party firewalls on a separate virtual machine to monitor and block attacks on your RDS instance. In addition to using security groups and restricted IP ranges to block unwanted access, AWS also offers Virtual Private Cloud (VPC), a firewall at the organization-level that isolates the infrastructure that houses a database. VPC restricts the cloud from being accessed directly over the internet and, ultimately, gives enterprises more control.
To monitor your database operations and performance, Amazon CloudWatch provides a variety of metrics related to CPU use, the number of connections, disk space use, memory use and more. These performance metrics help detect malicious attacks such as distributed denial of service; admins can also set up a variety of alarms to notify them of peaks in use or performance degradation.
Different access control and firewall mechanisms go a long way to prevent unauthorized remote access to your database, but you need to remember that your data is actually stored on real hardware. Therefore, you need to maintain privacy and security, even if an unauthorized person gains physical access to that machine and reads the data on it. This is where encrypting your data comes into play, both while it is in transit to and from your database, and while it is at rest.
To achieve in-transit encryption, you must ensure that all access to AWS RDS is through a secure HTTP (HTTPS). Several databases also support the ability to disable unsecure connections from within the database. However, encrypting and decrypting your data may incur some latency for operations in the database.
To achieve at-rest encryption, Amazon RDS offers a Transparent Data Encryption (TDE) facility for Oracle and SQL Server. TDE allows admins to encrypt data as well as the encryption keys with a 256-bit AES master key. Your only other option to achieve at-rest encryption is to use standard encryption libraries, such as OpenSSL or Bouncy Castle to selectively encrypt database fields.
4. Auditing and reports
To really know what is happening within your database, and to comply with different laws pertaining to stored data, admins must audit all activity within the database and generate meaningful reports. Amazon CloudTrail is a database auditing service that provides a full history of API calls and related events.
CloudTrail offers several log file-related features that allow companies to comply with most laws and regulations, including access control to log files using the IAM service, alerts for the creation or misconfiguration log files, log files related to system change events, log file storage and more. CloudTrail creates log files with more than 25 different fields that can be analyzed to produce meaningful reports to keep IT teams informed about database activity.
About the author:
Ofir Nachmani is a business technology advisor, blogger and lecturer. Ofir's extensive experience in the world of business technology has made his critically acclaimed blog, IamOnDemand.com, the go-to guide for modern technology startups and developers in the world of cloud computing. Today he advises organizations, leading them through new IT market modifications, while building and executing a modern go-to-market strategy.
Key Management Service a boon to AWS security
AWS Elastic Load Balancer halts DDoS attack