Amazon AWS Certified SysOps Administrator Associate – Databases for SysOps Part 3

5. [SAA/DVA] RDS Encryption + Security

So now let’s talk about RDS security. And the first topic I want to talk about is encryption. So we have at Rest encryption, which is the data that’s not in movement. And there is a possibility to encrypt the master database and the read replicas using AWS Kms, which is the key management service of AWS using AES 256 encryption. So when you do encryption, you define it at launch time. And if the master is not encrypted, the read replicas cannot be encrypted. So that is a common scenario question of the exam as well. You can also enable transparent data encryption, also called TDE for Oracle in SQL Server. And that provides you an alternative way of encrypting your database.

Now, there’s inflight encryption, which is always going to be around SSL certificates, and they’re used to encrypt data to RDS while in flight. So while being sent from your clients into your database for this, you provide SSL options with a trust certificate when connecting to the database. And you will have established an SSL connection to enforce SSL to make sure that all the clients must use SSL. If you’re using Postgres, there is a console parameter group you need to set called RDS Force.

SSL equals one that’s pretty explicit and you’re using MySQL within the database. You need to run this SQL statement called Grant usage on to MySQL user require SSL. Again, it’s pretty obvious what it does. Just so you know, postgres is a parameter group and MySQL is going to be a SQL command within the database. So there are some RDS encryption operations that you should know. And the first one is how do I encrypt an RDS backup? So, something you should know is that if you have an unencrypted RDS database and you take a snapshot of it, then the snapshot itself will be unencrypted.

And similarly, if you take a snapshot of an encrypted RDS database, then by default all the snapshots are going to be encrypted and not by default all the time. And so what you can do though is copy a snapshot that is unencrypted into an encrypted one. So if you take a snapshot of an unencrypted RDS database and you copy it, you can create an encrypted version of that snapshot. Fairly easy, right? So now that brings us into how do we encrypt an unencrypted RDS database based on the information we received. The first thing we do is that we create a snapshot of an unencrypted RDS database, which will be unencrypted, and then we’ll copy the snapshots.

And for the copied snapshot, we’ll enable encryption. So now we have a copied encrypted snapshot. And thanks to that encrypted snapshots, we can restore the database from the encrypted snapshots and they will give us an encrypted RDS database. And then we just migrate all our applications from the old unencrypted RDS database to the new encrypted RDS database and we’ll delete the old database. And that is some operations you should know. So, fairly simple, you just see it once and when it comes up in the exam, you know about it. So now let’s talk about network.

And I am security. For network security, well, our RDS database are usually deployed within a private subnet, not a public one. So make sure not to expose your database to the worldwide web. And RDS Security works by leveraging security groups that you attach to your RDS instance. They’re exactly the same concept as for EC two instances. And it controls which IP or which security groups can communicate with RDS. For access management, which is user management and so on. And permissions, you have Im policies that help you only control who can manage a device RDS. So who can create a database, who can delete the database, who can create a read replica and so on.

And for traditionally connecting to the database, you need to use a traditional username and password to log in into the database. Or as we’ll see in the next slide, for just RDS MySQL and RDS Postgres SQL, you can use IAM based authentication. Okay, so bottom line is the database security usually is from within the database. Now let’s talk about how we can connect to RDS using IAM authentication. So as I said, it is only for MySQL and Postgres. And you don’t need a password this time, you just need something called an authentication token and that can be obtained directly using IAM and the RDS API calls. We’ll see this in the diagram in a second. And the authentication token, because it’s short lived, it has a lifetime of 15 minutes. So here’s the example.

We have our EC two security group and our EC two instance, and then we have our MySQL RDS database in the RDS security group. So the EC two instance will have something called an IAM role and we’ll see what that means when we get deep into IAM roles for EC two. But the idea is that the EC two instance, thanks to that IAM role, is going to be able to issue an API call to the RDS service to get back an authentication token. And using the token, it’s going to pass that token all the way while connecting to the MySQL database and make sure the connection is encrypted by the way. And then it will connect securely to your MySQL database fairly easy. The benefits of this approach is that the network in and out must be encrypted using SSL. IAM is going to be used to centrally manage users instead of managing users from within the database. So it’s a more central type of authorization and you can leverage Im roles and easy to instances profiles for easy integration. And as I said, we’ll see what I am roles and C two instance profiles are very very soon.

So, summary for RDS Security you have encryption at rest, which is done only when you first create the database instance. And if it’s by the way, unencrypted, you need to create a snapshot, copy the snapshot to encrypt it, and then you create a new database from the encrypted snapshot and that will encrypt your database. And your responsibility is to check all the ports, IP security groups, inbound rules for your database security group, all take care of all the in database user creation and permissions. Or as we saw from before, managing through Im for MySQL and postgres.

Create a database with or without public access, or is it going to be in a public subnet or in a private subnet? Ensure the paramedic groups and the database is properly configured to only allow SSL connections, so making sure encryption is happening. And what is Amazon’s Web Services responsibility? Well, it is to make sure that you don’t have SSH access, that you don’t have to do database patching, you don’t have to do OS patching.

Aidbase will do this for you and you don’t have a way to look at the underlying instance. Again, that is a responsibility. So the RDS is a service offered to you and you can leverage it or not, but to me, honestly, it’s one of the best service of AWS. So it makes a lot of sense to use RDS. All right, that is for this lecture. I will see you in the next lecture.

6. RDS Proxy

So let’s talk about RDS proxy. But first we need to understand why we need RDS Proxy. So if we have a Lambda function and it wants to access our RDS database by default, when you are launching a lambda function, it’s going to be launched outside of your VPC. Okay? In a VPC that’s owned by AWS, therefore it cannot access resources that are not in your public subnet. So if you have a private RDS database, a private Elasticity, a cache, or a private internal ALB, then it will not be accessible. So the idea is that with default and deployments, lambda can talk to public Endpoints or to DynamoDB. But if you had a private subnet with a private RDS, lambda could not connect to it.

Please note, if you make your RDS database public, then obviously Lambda functions can connect to it. But this is not as secure as obviously making your RDS database private in the private subnets. So now you can launch your lambda in a VPC. For this, you define the VPC, ID the subnets and the security groups. And then Lambda will create an elastic network interface in your subnets to connect directly into your RDS database. For this, you specify aim role to create these enis. And so the idea now is that within a private subnet, lambda is going to have an eni to connect to with its own security group. Lambda will establish the connectivity directly to this eni and then this eni will access directly the RDS database you need to set up your security groups for it to work.

Okay, so you have the connectivity, but this allows you to deploy a lambda function in your VPC and access private resources on RDS databases. And this will work for a while, but then when your lambda function will connect to RDS, it will open and maintain a database connection. And if you have many instances of your Lambda function doing this at the same time, then you can have many connections opened to your RDS database. And this can result in the too many connection exception coming from your RDS database because too many connections are open, especially if your ladder functions are not good at cleaning up their connection.

Therefore, you can deploy what’s called an RDS Proxy. And with RDS Proxy you no longer need to code and to do the cleaning of your idle connections. And RDS Proxy will be managing a connection pool to your RDS database. So, second example, we have an RDS database in RVPC in a private subnet. You can deploy an RDS Proxy within the same private subnet or in a different subnet if you wanted to. So it could be a public subnet as well. As long as there is connectivity between your subnets, you’re good to go. Okay, so in this example, I’ve displayed the RDS Proxy in my public subnet.

Okay, and then what’s going to happen is that if you have a lambda functions being set up then they can connect directly to the RDS proxy. So in this example where my lambda functions are connecting to an RDS proxy in the public subnet so they don’t need VPC connectivity. But if you had the RDS proxy to be in a private subnet, you would need to deploy your lambda functions as well in the private subnet. But the idea is that as you can see in this diagram, lambda functions are establishing five connections to the RDS proxy.

But the RDS proxy is doing what’s called the connection pooling and will maybe only establish one connection to your RDS instance and therefore you will allow you to avoid this too many connections exception. And in case the lambda functions don’t clean up their connection to the proxy, that is fine. The proxy knows how to handle this and will close the idle connections after a while. So doing this methodology, you have support for the Im authentication. So you can pass on the IAM details from the proxy to your RDS database instance. So this is supported but also it supports database authentication with username and password. And the more connections are made to your RDS proxy the more it will scale. So there is auto scaling of the RDS proxy layer.

And as I said, the lambda functions must have connectivity to the proxy. So if you have a public subnet and a public proxy, then you can have a public lambda function or at least a lambda function deployed normally. And then if you have a private RDS proxy deployed in a private subnet, then you need to obviously deploy your lambda function in a VPC. But thanks to the RDS proxy you are going to avoid that too many connections error. So let’s have a look at how we can create a proxy. So I’m going to show you the options to create a proxy. So here are the options and it will not go and create the proxy itself because it will cost you money. But at least I can show you the options. So you name it. Demo Proxy you have an engine compatibility so it my sequel or postgres.

And you require TLS to be enabled for encryption in flights. Then there is the idle client connection timeout. So this shows you how the proxy itself will handle the cleanup of connections. And so you can set up anywhere between a few minutes to 8 hours. Okay? And this one is set up to 30 minutes. That means that if your application has not been using a connection for more than 30 minutes, then clean up the connection so the proxy is smart enough to do the cleanup itself and not overload obviously the end database. Then you could choose your database and you specify a connection pool. Maximum connection. So what’s the percentage of maximum connections allowed from the proxy to your main database? So if your database also has some direct connections, then 80% would be a good number. But if you only connect to your database for your proxy, then you should be able to enable 100%. Okay, next connectivity.

So your RDS proxy needs to be able to connect to your database. And for this you need to create a secret in secret manager for the database. So you need to go ahead and create a new secret. And does it expensive? It cost you about forty cents per secret per month. There’s a 30 day trial available, but this will cost you some money if you do it. And the secret would be a credentials for an RDS database in which you specify the username as well as the password, which is right here just to show you you have the password. And then you would say this is relevant for this database, so it’s not something that I’m going to do, but at least it would show you how you would create the secrets. And then that secret could be used right here by your RDS proxy.

Then you need an Im role to allow the proxy to access the secrets from secrets managers. You need to create the Im role. And then how do you want your users to connect to the proxy? So they can use Im authentication or they can use database username and password, just like what comes with my SQL and RDS. So you can enable Im authentication or disable it then the subnet. So where do you want to deploy your database proxy? So this is where you can make it in different private or public subnet than your original database.

And you can set up a security group that allows your proxy to connect to your RDS database. And finally you can enable logging of all the queries passed into your database. But this is disabled after 24 hours because it will slow down your proxy. Okay, so this is it. You have all the options right here. And then when the proxy is created, it gives you a connection URL that you can leverage within your applications or your lambda functions to leverage your proxy right away. So that’s it for this lecture. I hope you liked it and I will see you in the next lecture.

• Category: Uncategorized