Skip to content

Rdssecurity

Authentication

  • Local DB users can be used for Authentication by default
  • IAM user authentication can be enabled for DB
  • IAM User or Role are mapped with local RDS User using policy. This is configured to allow AWS Authentication Token
  • A generate-db-auth-token operation generates a token with 15 minute validity
  • This is authentication only. Authorization is based on permissions for the local db user

Authorization

Encryption In Transit

  • SSL/TLS is available and can be made mandatory

Encryption at Rest

  • EBS volumes with KMS
  • AWS Manager or Customer Managed keys are used to generate Data Encryption Keys(DEK)
  • DEKs are used for encrypting storage, logs, snapshots and replicas
  • The encryption is handled by RDS host & database engine is not encryption aware
  • Encryption once enabled can not be removed
  • Additional MSSQL & Oracle RDS support Transparent Data Encryption i.e. TDE
  • In case of TDE, the encryption and decryption is done within the DB Engine.
  • Oracle supports TDE with CloudHSM