RDS 3 Flashcards
Security
Is traffic encrypted in transit to RDS?
important
Not by default, but you can turn it on
Security
Can you make encryption in transit mandatory?
important
Yes, even on a per-user basis
Security
How does RDS encrypt data at rest?
important
KMS encryption of EBS volume.
Security
How do you remove encryption after you turn it on?
important
Can’t: it’s EBS under the covers with KMS.
Security
What is TDE?
important
Transparent Data Encryption: standard for databases doing encryption at rest from inside their products
Security
Which databases support TDE?
important
Microsoft SQL Server and Oracle
Security
Is TDE better or worse security than EBS-based?
Better: data is encrypted before it goes through the underlying OS
Security
What’s the most secure way to encrypt at-rest in RDS?
important
Oracle with TDE backed by CloudHSM: AWS has no access to any key material
IAM AuthN and AuthZ
How can you set up IAM for authorization with RDS databases?
important
Can’t: AuthZ controlled completely inside the database engine
IAM AuthN and AuthZ
What databases support IAM-based AuthN?
Maria, MySQL, PostgreSQL
IAM AuthN and AuthZ
How do you set up IAM-based AuthN on an RDS database?
Just turn it on for the database instance (console, SDK call)
IAM AuthN and AuthZ
How do you set up a database user for IAM-based AuthN?
Instead of a password, use “identified with AWSAuthenticationPlugin as ‘RDS’” (just a user setting).
IAM AuthN and AuthZ
How do you connect an IAM User or Role to a database user?
important
Policy attached maps to local RDS user