Security Considerations for RDS – AWS Security Fundamentals – SCS-C02 Study Guide

Security Considerations for RDS

Having gone through the RDS service and its capabilities, you can now examine some of the security considerations and best practices for RDS:

  • Never use a root AWS user to create and manage RDS resources. Instead, create an individual user or group that manages the RDS resources.
  • Control which IP addresses and AWS services can connect to your RDS instance, such as EC2 instances, using security groups.
  • Utilize the encryption capabilities of RDS to protect your working data and snapshots.
  • Use the principle of least privilege when granting permissions to users and service roles to perform their duties on the database.
  • Take advantage of the AWS Backup service to create secure copies of your backup data via cross-account backups.

Amazon Aurora

Amazon Aurora was built in response to customers wanting the performance of commercial-grade database engines such as Oracle or Microsoft SQL Server without dealing with all the hassle of the licensing restrictions that come with those products.

Another important fact about Amazon Aurora is that, unlike other RDS engines backed by EBS storage, Aurora built its storage solution from the ground up after considering multiple customer requests over the years.

Amazon Aurora comes in either MySQL-compatible or PostgreSQL versions. You can run Aurora as a cluster or as a serverless version of the Aurora database.

Key-Value Databases

DynamoDB is the first of the NoSQL databases that will be discussed in this section. Although some users believe that NoSQL means Not SQL, most have come to the consensus that it stands for Not Only SQL.

Key-value databases store data in key-value pairs and are designed for high performance and scalability. They are often used for applications that require quick read-and-write operations. Each key is a unique identifier that can be used to retrieve the corresponding value from the database.

In-depth examples of using DynamoDB will be presented in Chapter 17, Protecting Data in Flight and at Rest.

In-Memory Databases

In-memory databases are databases where all the memory is stored in RAM and specialized hardware. The upside of this type of database is that it provides extremely fast performance and offers very low latency. The downside for in-memory databases is that because they use RAM as the backing hardware, they can be more expensive than other databases.

Items accessed by your users and applications frequently need a quick response to provide the best customer experience. The time it can take to perform the database query and render the results, especially if several queries are waiting to be performed simultaneously, can become a factor, and this is where adding an in-memory database as a caching layer can help reduce latency. AWS’ managed in-memory database option is Elasticache and comes with two different engines: Redis and Memcached. Elasticache nodes and clusters are composed of SSDs, which allows encryption at rest, in contrast with other in-memory databases that are created purely out of RAM.