Amazon Relational Database Service (RDS) | Security Flashcards

1
Q

What happens to my backups and DB snapshots if I delete my DB instance?

Security

Amazon Relational Database Service (RDS) | Database

A

When you delete a DB instance, you can create a final DB snapshot upon deletion; if you do, you can use this DB snapshot to restore the deleted DB instance at a later date. Amazon RDS retains this final user-created DB snapshot along with all other manually created DB snapshots after the DB instance is deleted. Refer to the pricing page for details of backup storage costs.

Automated backups are deleted when the DB instance is deleted. Only manually created DB Snapshots are retained after the DB Instance is deleted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Amazon Virtual Private Cloud (VPC) and how does it work with Amazon RDS?

Security

Amazon Relational Database Service (RDS) | Database

A

Amazon VPC lets you create a virtual networking environment in a private, isolated section of the AWS cloud, where you can exercise complete control over aspects such as private IP address ranges, subnets, routing tables and network gateways. With Amazon VPC, you can define a virtual network topology and customize the network configuration to closely resemble a traditional IP network that you might operate in your own datacenter.

One way that you can take advantage of VPC is when you want to run a public-facing web application while still maintaining non-publicly accessible backend servers in a private subnet. You can create a public-facing subnet for your webservers that has access to the Internet, and place your backend RDS DB Instances in a private-facing subnet with no Internet access. For more information about Amazon VPC, refer to the Amazon Virtual Private Cloud User Guide.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How is using Amazon RDS inside a VPC different from using it on the EC2-Classic platform (non-VPC)?

Security

Amazon Relational Database Service (RDS) | Database

A

If your AWS account was created before 2013-12-04, you may be able to run Amazon RDS in an Amazon Elastic Compute Cloud (EC2)-Classic environment. The basic functionality of Amazon RDS is the same regardless of whether EC2-Classic or EC2-VPC is used. Amazon RDS manages backups, software patching, automatic failure detection, read replicas and recovery whether your DB Instances are deployed inside or outside a VPC. For more information about the differences between EC2-Classic and EC2-VPC, see the EC2 documentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a DB Subnet Group and why do I need one?

Security

Amazon Relational Database Service (RDS) | Database

A

A DB Subnet Group is a collection of subnets that you may want to designate for your RDS DB Instances in a VPC. Each DB Subnet Group should have at least one subnet for every Availability Zone in a given Region. When creating a DB Instance in VPC, you will need to select a DB Subnet Group. Amazon RDS then uses that DB Subnet Group and your preferred Availability Zone to select a subnet and an IP address within that subnet. Amazon RDS creates and associates an Elastic Network Interface to your DB Instance with that IP address.

Please note that, we strongly recommend you use the DNS Name to connect to your DB Instance as the underlying IP address can change (e.g., during a failover).

For Multi-AZ deployments, defining a subnet for all Availability Zones in a Region will allow Amazon RDS to create a new standby in another Availability Zone should the need arise. You need to do this even for Single-AZ deployments, just in case you want to convert them to Multi-AZ deployments at some point.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How do I create an Amazon RDS DB Instance in VPC?

Security

Amazon Relational Database Service (RDS) | Database

A

For a procedure that walks you through this process, refer to Creating a DB Instance in a VPC in the Amazon RDS User Guide.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How do I control network access to my DB Instance(s)?

Security

Amazon Relational Database Service (RDS) | Database

A

Visit the Security Groups section of the Amazon RDS User Guide to learn about the different ways to control access to your DB Instances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do I connect to an RDS DB Instance in VPC?

Security

Amazon Relational Database Service (RDS) | Database

A

DB Instances deployed within a VPC can be accessed by EC2 Instances deployed in the same VPC. If these EC2 Instances are deployed in a public subnet with associated Elastic IPs, you can access the EC2 Instances via the internet.

DB Instances deployed within a VPC can be accessed from the Internet or from EC2 Instances outside the VPC via VPN or bastion hosts that you can launch in your public subnet, or using Amazon RDS’s Publicly Accessible option:

To use a bastion host, you will need to set up a public subnet with an EC2 instance that acts as a SSH Bastion. This public subnet must have an internet gateway and routing rules that allow traffic to be directed via the SSH host, which must then forward requests to the private IP address of your RDS DB instance.

To use public connectivity, simply create your DB Instances with the Publicly Accessible option set to yes. With Publicly Accessible active, your DB Instances within a VPC will be fully accessible outside your VPC by default. This means you do not need to configure a VPN or bastion host to allow access to your instances.

You can also set up a VPN Gateway that extends your corporate network into your VPC, and allows access to the RDS DB instance in that VPC. Refer to the Amazon VPC User Guide for more details.

We strongly recommend you use the DNS Name to connect to your DB Instance as the underlying IP address can change (e.g., during failover).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Can I move my existing DB instances outside VPC into my VPC?

Security

Amazon Relational Database Service (RDS) | Database

A

If your DB instance is not in a VPC, you can use the AWS Management Console to easily move your DB instance into a VPC. See the Amazon RDS User Guide for more details. You can also take a snapshot of your DB Instance outside VPC and restore it to VPC by specifying the DB Subnet Group you want to use. Alternatively, you can perform a “Restore to Point in Time” operation as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Can I move my existing DB instances from inside VPC to outside VPC?

Security

Amazon Relational Database Service (RDS) | Database

A

Migration of DB Instances from inside to outside VPC is not supported. For security reasons, a DB Snapshot of a DB Instance inside VPC cannot be restored to outside VPC. The same is true with “Restore to Point in Time” functionality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What precautions should I take to ensure that my DB Instances in VPC are accessible by my application?

Security

Amazon Relational Database Service (RDS) | Database

A

You are responsible for modifying routing tables and networking ACLs in your VPC to ensure that your DB instance is reachable from your client instances in the VPC.

For Multi-AZ deployments, after a failover, your client EC2 instance and RDS DB Instance may be in different Availability Zones. You should configure your networking ACLs to ensure that cross-AZ communication is possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Can I change the DB Subnet Group of my DB Instance?

Security

Amazon Relational Database Service (RDS) | Database

A

An existing DB Subnet Group can be updated to add more subnets, either for existing Availability Zones or for new Availability Zones added since the creation of the DB Instance. Removing subnets from an existing DB Subnet Group can cause unavailability for instances if they are running in a particular AZ that gets removed from the subnet group. View the Amazon RDS User Guide for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an Amazon RDS master user account and how is it different from an AWS account?

Security

Amazon Relational Database Service (RDS) | Database

A

To begin using Amazon RDS you will need an AWS developer account. If you do not have one prior to signing up for Amazon RDS, you will be prompted to create one when you begin the sign-up process. A master user account is different from an AWS developer account and used only within the context of Amazon RDS to control access to your DB Instance(s). The master user account is a native database user account which you can use to connect to your DB Instance. You can specify the master user name and password you want associated with each DB Instance when you create the DB Instance. Once you have created your DB Instance, you can connect to the database using the master user credentials. Subsequently, you may also want to create additional user accounts so that you can restrict who can access your DB Instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What privileges are granted to the master user for my DB Instance?

Security

Amazon Relational Database Service (RDS) | Database

A

For MySQL, the default privileges for the master user include: create, drop, references, event, alter, delete, index, insert, select, update, create temporary tables, lock tables, trigger, create view, show view, alter routine, create routine, execute, trigger, create user, process, show databases, grant option.

For Oracle, the master user is granted the “dba” role. The master user inherits most of the privileges associated with the role. Please refer to the Amazon RDS User Guide for the list of restricted privileges and the corresponding alternatives to perform administrative tasks that may require these privileges.

For SQL Server, a user that creates a database is granted the “db_owner” role. Please refer to the Amazon RDS User Guide for the list of restricted privileges and the corresponding alternatives to perform administrative tasks that may require these privileges.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Is there anything different about user management with Amazon RDS?

Security

Amazon Relational Database Service (RDS) | Database

A

No, everything works the way you are familiar with when using a relational database you manage yourself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Can programs running on servers in my own data center access Amazon RDS databases?

Security

Amazon Relational Database Service (RDS) | Database

A

Yes. You have to intentionally turn on the ability to access your database over the internet by configuring Security Groups. You can authorize access for only the specific IPs, IP ranges, or subnets corresponding to servers in your own data center.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Can I encrypt connections between my application and my DB Instance using SSL?

Security

Amazon Relational Database Service (RDS) | Database

A

Yes, this option is currently supported for the MySQL, MariaDB, SQL Server, PostgreSQL, and Oracle engines.

Amazon RDS generates an SSL certificate for each DB Instance. Once an encrypted connection is established, data transferred between the DB Instance and your application will be encrypted during transfer.

While SSL offers security benefits, be aware that SSL encryption is a compute-intensive operation and will increase the latency of your database connection. SSL support within Amazon RDS is for encrypting the connection between your application and your DB Instance; it should not be relied on for authenticating the DB Instance itself.

For details on establishing an encrypted connection with Amazon RDS, please visit Amazon RDS’s MySQL User Guide, MariaDB User Guide, SQL Server User Guide, PostgreSQL User Guide or Oracle User Guide. To learn more about how SSL works with these engines, you can refer directly to the MySQL documentation, the MariaDB documentation, the MSDN SQL Server documentation, the PostgreSQL documentation, or the Oracle Documentation.

17
Q

Can I encrypt data at rest on my Amazon RDS databases?

Security

Amazon Relational Database Service (RDS) | Database

A

Amazon RDS supports encryption at rest for all database engines, using keys you manage using AWS Key Management Service (KMS). On a database instance running with Amazon RDS encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots. Encryption and decryption are handled transparently. For more information about the use of KMS with Amazon RDS, see the Amazon RDS User’s Guide.

You can also add encryption to a previously unencrypted DB instance or DB cluster by creating a DB snapshot and then creating a copy of that snapshot and specifying a KMS encryption key. You can then restore an encrypted DB instance or DB cluster from the encrypted snapshot.

Amazon RDS for Oracle and SQL Server support those engines’ Transparent Data Encryption technologies. Transparent Data Encryption in Oracle is integrated with AWS CloudHSM, which allows you to securely generate, store, and manage your cryptographic keys in single-tenant Hardware Security Module (HSM) appliances within the AWS cloud. For more information, see the Amazon RDS User’s Guide sections on Oracle and SQL Server.

18
Q

How do I control the actions that my systems and users can take on specific RDS resources?

Security

Amazon Relational Database Service (RDS) | Database

A

You can control the actions that your AWS IAM users and groups can take on RDS resources. You do this by referencing the RDS resources in the AWS IAM policies that you apply to your users and groups. RDS resources that can be referenced in an AWS IAM policy includes DB Instances, DB Snapshots, Read Replicas, DB Security Groups, DB Option Groups, DB Parameter Groups, Event Subscriptions and DB Subnet Groups. In addition, you can tag these resources to add additional metadata to your resources. By using tagging, you can categorize your resources (e.g. “Development” DB Instances, “Production” DB Instances, “Test” DB Instances etc), and write AWS IAM policies that list the permissions (i.e. actions) that can taken on resources with the same tags. For more information, refer to Managing Access to Your Amazon RDS Resources and Databases and Tagging Amazon RDS Resources

19
Q

I wish to perform security analysis or operational troubleshooting on my RDS deployment. Can I get a history of all RDS API calls made on my account?

Security

Amazon Relational Database Service (RDS) | Database

A

Yes. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Learn more about CloudTrail at the AWS CloudTrail detail page, and turn it on via CloudTrail’s AWS Management Console home page.