RDS

Question 1

What is RDS?

Answer 1

Managed DB Service

Question 2

How do backups work in RDS?

How often are the logs backed up?

What is the most recent restore time for RDS instances?

How long are the logs retained for RDS?

Answer 2

Full backup nightly.

Log backup every 5 min.

Restore from any point in time from oldest backup to 5 min ago

7-35 day retention

Question 3

Talk about Storage Autoscaling in RDS and kind of workloads is it good for?

What must you set for Storage auto-scaling?

Answer 3

RDS allows you to enable storage autoscaling.

Must set a max amount. You can also set autoscale threshold

Useful for applications with unpredictable workloads
Supported by all rds db engines

Question 4

What are the features of RDS Read replicas (Read only)?

How many read replicas can there be?

Where can these replicas be located?

Is replication async or sync?

Can a read replica be promoted to it’s own DB?

What is a good use case for a read replica?

Is there any cost for a read replica in the same region?

Answer 4

Up to 5 read replicas

Within AZ, Cross AZ or Cross Region

Replication is async (Eventually consistent)

Yes

Good for reporting

No cost for read replicas within the same region.

Question 5

How Does RDS MultiAZ (Disaster Recovery) work?

Can a Single AZ RDS be moved to MultiAZ with zero down time?

What is the use-case for RDS MultiAZ?

Answer 5

Synchronous replication
One DNS Name
Automatic failover
Not used for scaling

Yes, just modify the DB in the console

Disaster recovery

Question 6

How does RDS Encryption work?

Answer 6

At-Rest (AWS KMS- AES256)

If master is not encrypted replicas are not encrypted

Question 7

When is RDS encryption defined?

Answer 7

Encryption has to be defined at launch

Question 8

In RDS what is available specially for Oracle and SQL Server?

Answer 8

Transparent Data Encryption (TDE) available for Oracle and SQL Server

Question 9

In RDS what must be forced on Postgres and MySQL?

Answer 9

SSL Encryption must be forced on Postgres and MySQL

Question 10

How is security encryption enabled/disabled in RDS?

Answer 10

Encryption cannot be added by configuration after the DB has been created. A snapshot must be created and copied as encrypted, then restored
Un-encrypted dbs are snapshotted as unencrypted by default and vice versa

Question 11

What do IAM policies control in RDS

What is IAM based authentication used for in RDS?

Answer 11

Who can manage AWS RDS through the RDS API and console

Logging into RDS, MySQL and Postgres

Question 12

What are the benefits of IAM authentication?

Answer 12

Works with MySQL and Postgres
No password needed just a token obtained through RDS service
Network traffic encrypted using SSL
IAM to centrally manage users instead of DB
Can leverage IAM Roles and EC2 instance profiles for easy integration

Question 13

What are your responsibilities when it comes to security for RDS?

Answer 13

Check ports, IP, Security groups inbound rules
In database user creation and permissions or manage through IAM
Creating a database with or without public access
Assure parameter groups or DB is configured to allow only SSL connections

Question 14

What are the responsibilities of AWS when it comes to security for RDS?

Answer 14

No SSH access
No manual DB patching
No manual OS patching
No way to audit the underlying instance.