RDS 3 Flashcards

1
Q

Security

Is traffic encrypted in transit to RDS?

important

A

Not by default, but you can turn it on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security

Can you make encryption in transit mandatory?

important

A

Yes, even on a per-user basis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security

How does RDS encrypt data at rest?

important

A

KMS encryption of EBS volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security

How do you remove encryption after you turn it on?

important

A

Can’t: it’s EBS under the covers with KMS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security

What is TDE?

important

A

Transparent Data Encryption: standard for databases doing encryption at rest from inside their products

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security

Which databases support TDE?

important

A

Microsoft SQL Server and Oracle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Security

Is TDE better or worse security than EBS-based?

A

Better: data is encrypted before it goes through the underlying OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security

What’s the most secure way to encrypt at-rest in RDS?

important

A

Oracle with TDE backed by CloudHSM: AWS has no access to any key material

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

IAM AuthN and AuthZ

How can you set up IAM for authorization with RDS databases?

important

A

Can’t: AuthZ controlled completely inside the database engine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

IAM AuthN and AuthZ

What databases support IAM-based AuthN?

A

Maria, MySQL, PostgreSQL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

IAM AuthN and AuthZ

How do you set up IAM-based AuthN on an RDS database?

A

Just turn it on for the database instance (console, SDK call)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

IAM AuthN and AuthZ

How do you set up a database user for IAM-based AuthN?

A

Instead of a password, use “identified with AWSAuthenticationPlugin as ‘RDS’” (just a user setting).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

IAM AuthN and AuthZ

How do you connect an IAM User or Role to a database user?

important

A

Policy attached maps to local RDS user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly