It’s no shock that organizations are more and more utilizing cloud-native providers, together with for knowledge storage. Cloud storage presents large advantages resembling replication, geographic resiliency, and the potential for cost-reduction and improved effectivity.
The Amazon Internet Providers (AWS) Relational Database Service (RDS) is without doubt one of the hottest cloud database and storage providers. At a high-level, RDS streamlines setup, operation, and scaling relational databases in AWS, resembling MariaDB, Microsoft SQL Server, MySQL, and others. RDS, very similar to another AWS or cloud service providing, makes use of the shared duty mannequin. This implies the cloud service supplier (CSP) — AWS on this case — is accountable for defending the underlying infrastructure and internet hosting environments and customers are accountable for their share of RDS, which incorporates the OS, configurations, and structure concerns.
Failing to account for the buyer share of RDS obligations can result in cloud knowledge breaches, of which now we have seen a lot. Key areas embrace configuring entry to the digital personal cloud (VPC) the database occasion will reside in, utility identification and entry administration (IAM) insurance policies, and safety teams to regulate community site visitors and encryption. We’ll talk about a few of these areas under, together with others resembling compliance as properly.
Authentication is essential to RDS safety
One of many first key concerns is authentication, or how customers validate their identification to entry RDS database cases. Among the many choices are passwords, Kerberos, and IAM database authentication. Customers want to find out which authentication route they may select after which implement the suitable controls resembling password complexity, MFA, and IAM insurance policies.
Within the areas of knowledge safety, key concerns embrace utilizing multifactor authentication in addition to utilizing SSL/TLS to speak with different sources and making certain you’re utilizing an applicable TLS model resembling 1.2. Different suggestions from AWS embrace utilizing their service Macie, which can assist uncover and safe delicate knowledge saved in S3. Macie makes use of machine studying (ML) to find delicate knowledge, construct an interactive map, and even mechanically generate findings and ship them to AWS providers resembling AWS Safety Hub so susceptible configurations or uncovered knowledge may be remediated.
AWS supplies varied strategies for encrypting AWS RDS sources which incorporates encrypting data-at-rest within the underlying DB cases, automated backups, learn replicas, and snapshots. To facilitate this, AWS makes use of its Key Administration Service (KMS). There are numerous choices right here, relying on whether or not you wish to preserve administration duty for the keys your self or use AWS-managed keys. When going the route of customer-managed keys, you may modify issues resembling key insurance policies and IAM insurance policies to implement extra granular entry management and utilization constraints for the keys, resembling limiting the place requests for entry to the RDS occasion can originate.
Prospects also can make use of AWS CloudTrail to audit the KMS key utilization to establish doubtlessly malicious habits or misuse of permissions and entry to knowledge. For a deeper dive on AWS encryption and the usage of KMS, AWS has a Key Administration Service Greatest Practices whitepaper.
Key concerns when encrypting AWS RDS
That mentioned, there are some key concerns to take note of when encrypting AWS RDS database cases. You should encrypt the database occasion on the time of creation; you can not return and encrypt it later. You additionally can not flip off encryption as soon as it’s enabled.
Organizations also needs to think about securing the site visitors between the RDS service and on-premise shoppers and purposes, resembling making use of AWS Website-to-Website VPN or AWS Direct Join to make sure that site visitors isn’t uncovered to unauthorized events.
We now have all seen the headlines of cloud knowledge storage buckets or cases being publicly uncovered. That is the place options resembling AWS Safety Teams come into play. Safety teams assist management the entry of community site visitors into and out of RDS cases. Fortunately, AWS has taken the method the place community entry is off by default and customers should specify guidelines of their safety teams to permit site visitors from particular IP addresses or ranges. This permits customers to implement configurations resembling permitting site visitors from their utility providers to the backend RDS database.
AWS supplies a helpful diagram to assist visualize a typical state of affairs, resembling having an AWS RDS database occasion operating in a non-public subnet (not publicly accessible) after which having an utility service operating on an EC2 occasion in a public subnet with connectivity to the web. Customers can implement and modify safety teams on each the net app and database cases to permit the suitable community stream of site visitors to facilitate performance but additionally reduce unauthorized entry and threat.
Amazon Internet ProvidersAWS RDS database occasion operating in a non-public subnet
Keep away from utilizing a soar host
One other usually cited advice is to keep away from the usage of a “soar host”, which is the place builders or directors might hook up with a number in a public subnet over one thing resembling Port 22, after which “soar” from that to the backend RDS occasion operating in a non-public subnet. Nonetheless, as many have famous, resembling on this AWS weblog, soar hosts can fall sufferer to assaults resembling IP spoofing and different strategies.
Amazon Internet ProvidersUtilizing a soar host
As an alternative, customers can use AWS Classes Supervisor to take away the usage of a soar host and nonetheless permit safe entry of community site visitors to the RDS occasion.
Amazon Internet ProvidersUtilizing AWS Classes Supervisor
AWS makes a sequence of different key safety greatest apply suggestions for customers utilizing AWS RDS as a part of their cloud structure. These embrace actions resembling creating particular person consumer accounts for every particular person accessing the AWS RDS sources and never utilizing AWS root credentials to handle RDS. That is key as a result of it’s a safety greatest apply to keep away from shared accounts and the usage of particular person accounts permit for extra granular entry management in addition to attribution from a logging and monitoring perspective, that means who does what.
One other key advice is to implement the longstanding method of least-permissive entry management, which aligns with the business push for zero belief. This implies solely granting the minimally required permissions to the accounts to carry out their duties and nothing extra. Nonetheless, managing permissions at scale throughout massive consumer bases may be troublesome, which is why AWS additionally recommends utilizing IAM teams to handle permissions for a number of customers, the place you may implement role-based entry management.
Shifting ahead with AWS RDS
Whereas the above dialogue is way from exhaustive with reference to AWS RDS safety greatest practices, it helps body the dialog on key concerns when making use of the RDS service and the way to make sure your knowledge and that of your clients is safeguarded appropriately when utilizing the service. You’ll additionally discover key themes which can be agnostic of AWS that must be thought-about when utilizing any cloud knowledge storage service. These embrace issues resembling Identification and Entry Administration (IAM), Community Entry Management, Encryption and extra.
By excited about the usage of cloud storage by means of the angle of those areas you can begin to make sure you can reap the advantages of cloud storage and databases however accomplish that with out placing the group in danger.
Copyright © 2023 IDG Communications, Inc.
