AWS Fundamentals: RDS & Aurora Security/RDS Proxy/Elasticache

Question 1

How is data encrypted at rest in RDS and Aurora?

Answer 1

Data is encrypted on volumes using KMS. Encryption is defined at the time of database launch. If the master database is not encrypted, read replicas cannot be encrypted.

Question 2

How do you encrypt an already existing unencrypted RDS or Aurora database?

Answer 2

You must create a database snapshot of the unencrypted database and then restore it as an encrypted database.

Question 3

How is data encrypted in flight in RDS and Aurora?

Answer 3

In-flight encryption is enabled by default, using TLS root certificates from AWS for secure communication between clients and the database.

Question 4

What methods are available for database authentication in RDS and Aurora?

Answer 4

You can authenticate using username and password or IAM roles. IAM roles allow EC2 instances or other AWS services to authenticate without needing a password.

Question 5

How can you control network access to an RDS or Aurora database?

Answer 5

You can use security groups to control access based on specific ports, IP addresses, or other security groups.

Question 6

Do RDS and Aurora support SSH access?

Answer 6

No, SSH access is not available in RDS and Aurora unless you use RDS Custom for Oracle or Microsoft SQL Server.

Question 7

How do you enable and store audit logs in RDS and Aurora?

Answer 7

You can enable audit logs to track queries and database activity. To retain them long-term, you must send them to CloudWatch Logs.

Question 8

Why would you use Amazon RDS Proxy instead of directly connecting to an RDS database instance?

Answer 8

RDS Proxy helps pool and share database connections, reducing the number of connections to the RDS instance. This improves database efficiency, reduces stress on resources (CPU, RAM), and minimizes open connections and timeouts.

Question 9

How does Amazon RDS Proxy handle scaling and availability?

Answer 9

RDS Proxy is fully serverless, auto-scaling, and highly available across multiple availability zones (AZs). This helps improve database efficiency and provides up to 66% faster failover in case of RDS database instance failover.

Question 10

Which database engines are supported by Amazon RDS Proxy?

Answer 10

RDS Proxy supports MySQL, PostgreSQL, MariaDB, Microsoft SQL Server, and Aurora (for MySQL and PostgreSQL).

Question 11

What are the key benefits of using Amazon RDS Proxy for applications?

Answer 11

No code changes required: Simply connect to the RDS Proxy instead of the database instance.

Minimized failover time: RDS Proxy reduces failover time by up to 66%.

Enforces IAM authentication: Use IAM for database authentication, and securely store credentials in AWS Secrets Manager.

Question 12

How does Amazon RDS Proxy enhance security?

Answer 12

RDS Proxy is never publicly accessible and can only be accessed within your VPC, improving overall security. Additionally, it can enforce IAM authentication for database connections and securely store credentials in AWS Secrets Manager.

Question 13

What is Amazon ElastiCache and what is its primary function?

Answer 13

Amazon ElastiCache is a managed service that provides Redis and Memcached cache technologies. It is used to reduce database load for read-intensive workloads by caching frequently queried data in memory for low latency access.

Question 14

How does Amazon ElastiCache help scale applications?

Answer 14

ElastiCache helps scale applications by offloading read queries from the database to the cache, reducing database load and improving performance. It also enables making applications stateless by storing session data in the cache.

Question 15

What are the key benefits of using Amazon ElastiCache?

Answer 15

Reduced database load: By caching frequent queries, you reduce the number of queries to the database.

Stateless applications: By storing session data in the cache, your application becomes stateless.

Fully managed: AWS handles the maintenance, patching, optimization, configuration, monitoring, failure recovery, and backups.

Question 16

What is the difference between a cache hit and a cache miss in ElastiCache?

Answer 16

Cache Hit: When the requested data is found in the cache, the data is returned directly from the cache.

Cache Miss: When the requested data is not found in the cache, the data is fetched from the database and then stored in the cache for future requests.

Question 17

How does Amazon ElastiCache help manage user sessions?

Answer 17

ElastiCache stores session data, allowing the application to retrieve the session state for a user even if the user is redirected to a different instance of the application. This ensures users remain logged in and the application remains stateless.

Question 18

How do Redis and Memcached differ in terms of high availability?

Answer 18

Redis: Supports multi-availability zone deployment with auto-failover and read replicas for high availability.

Memcached: Does not support high availability or replication. Data is sharded across multiple nodes, and if a node fails, you might lose cached data.

Question 19

When should you choose Redis over Memcached?

Answer 19

Choose Redis if you need high availability with auto-failover, data persistence, and features like sorted sets (e.g., leaderboards).

Choose Memcached if you need a high-performance, simple, in-memory cache with multi-threading for better performance but can tolerate data loss and do not need high availability.

Question 20

Which ElastiCache engine supports IAM authentication?

Answer 20

Redis supports IAM authentication for AWS API-level security, allowing you to control access through IAM roles and policies.

Question 21

How does Redis in ElastiCache secure connections?

Answer 21

Redis supports Redis AUTH, where you can set a password or token to secure access to the Redis cluster. This provides an additional layer of security beyond security groups.

Question 22

How does Memcached in ElastiCache authenticate clients?

Answer 22

Memcached uses SASL-based authentication, which is a more advanced authentication mechanism for securing connections to the cache.

Question 23

Does ElastiCache support in-flight encryption?

Answer 23

Yes, ElastiCache supports SSL in-flight encryption to secure data in transit between the client and the cache.

Question 24

What are IAM policies used for in ElastiCache?

Answer 24

IAM policies in ElastiCache are used for AWS API-level security. They do not apply to the cache connections themselves, which are instead secured through Redis AUTH, SASL, or security groups.

Question 25

What is Lazy Loading in ElastiCache?

Answer 25

Lazy Loading is a caching strategy where data is loaded into the cache only when there is a cache miss. If the data isn’t already in the cache, it is fetched from the database and written to the cache.

Question 26

What is the Write Through caching strategy in ElastiCache?

Answer 26

In the Write Through strategy, data is written to both the database and the cache simultaneously whenever there is a write operation, ensuring that the cache is always up to date without stale data.

Question 27

What is a use case for Redis Sorted Sets in ElastiCache?

Answer 27

Redis Sorted Sets are useful for applications like real-time gaming leaderboards, where elements (e.g., player scores) are ranked automatically in the correct order as new data is added.

Question 28

How does ElastiCache ensure network-level security?

Answer 28

ElastiCache uses security groups to control network access. You can define rules to allow or block access based on IP addresses, ports, and other security group configurations.