Database security is a critical part of both the AWS Database Specialty exam and the work that an AWS DBA carries out daily. Database security focuses on how to restrict access to your databases and how to audit it efficiently, how to encrypt your data both in transit and at rest to stop unauthorized access to the data, and how to use other AWS services, such as Key Management Service and Secrets Manager, to protect passwords and login credentials. There will be several questions about database security in the AWS Database Specialty exam, so this is an important chapter if you wish to apply database security to a wide range of case studies.

In this chapter, we're going to cover the following main topics:

• Database encryption
• Working with RDS encryption
• Implementing database and VPC access controls
• Auditing databases
• Configuring AWS Key Management Service and Secrets Manager

Let's start by looking at database...

For this chapter, you will need an AWS account with root access. Not everything we will do in this chapter may be available in the free tier, which means it may cost you a small amount to follow the hands-on sections. You will also require command-line interface (CLI) AWS access. The AWS guide at https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html explains the steps you must follow, but I will summarize them here:

1. Create an AWS account if you have not already done so.
2. Download the latest version of the AWS CLI from https://docs.aws.amazon.com/cli/latest/userguide/welcome-versions.html#welcome-versions-v2.
3. Create an admin user at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html.
4. Create an access key for your administration user: https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html#getting-started_create-admin-group-cli.
5. Run the aws configure command...

Encryption is when the data that's stored or transmitted is encoded. Encoded means that it is changed from its original values into something meaningless without the means to decode it again. The decoding tool is called a key. An encryption key is a long string of alphanumeric characters that, when used alongside a mathematical function called an algorithm, allows your data to be encrypted and decrypted. Only applications or users with access to the decryption key will be able to read the data.

Data that's stored on disks is called data at rest. Data at rest within a managed AWS database, such as RDS, DynamoDB, DocumentDB, Neptune, and Timestream, can be encrypted using AES-256 encryption. Data that passes from the client or application to the database is called data in transit. Data in transit can be encrypted using SSL/TLS cryptography. Data at rest needs to be protected from someone gaining access to the instance or server your database is running...

In this lab, we are going to create an RDS instance without encryption and then create an encrypted snapshot to restore in a new instance to enable encryption. Then, we are going to migrate our encrypted database to a different region to learn how to use different keys to encrypt and share snapshots.

Encrypting an existing RDS instance

Let's begin by creating an RDS MySQL instance using the Dev/Test options. We cannot use the free tier here as there is no option to disable encryption. As you should have created several RDS instances by now in this book, these steps will be kept at a high level:

1. Log in to the AWS console or use the AWS CLI to create a free tier RDS MySQL database but disable encryption before creating it. If you use a t3.micro, your costs will be very low.
2. You can also disable Performance Insights and Monitoring if you wish.

Figure 12.1 – RDS encryption disabled

3. When the database...

All RDS and Aurora databases run within a VPC. As you may recall, a VPC is a section of the AWS Cloud that is secured for your use only. A VPC operates similarly to a data center and can be secured using a variety of security measures, from user accounts to security groups. Databases that do not run within a VPC such as DynamoDB, Timestream, and QLDB use different security controls, such as AWS Identity and Access Management (IAM) roles and users, which we will discuss later in this section.

Let's start by learning how to use VPC subnets to keep your databases hidden from the internet.

Subnets and bastion hosts

Subnets are a range of IP addresses that form logical groups within a VPC. There are two types of subnets you can create: public and private. A public subnet is one where the servers and databases within it can reach the public internet and be reached from the internet via an internet gateway. A private subnet is one...

Database auditing can be configured to help you identify unauthorized access to the databases, as well as closely monitor highly sensitive tables to stop them from being tampered with. In AWS, you can use four different tools to comprehensively monitor your database estate:

• CloudWatch: You can configure your databases to send their logs to CloudWatch, which acts as a centralized repository.
• CloudTrail: This can be used to monitor actions that have been taken by a user or another AWS service that affects your RDS instance. Creating, deleting, or modifying an RDS would be recorded. This also tracks user logins using IAM authentication.
• Database Activity Stream: This is only used for RDS Oracle. It sends a record of all audited database changes to an external stream that the DBAs have no access to, thereby improving compliance.
• Database logs: As well as the other monitoring tools, RDS gives you access to the standard logs for each database, such...

Secrets Manager is an encrypted and secure key-value store where you can save any information you would like to keep secret. It integrates natively into a wide range of AWS services, including most of their database platforms, such as RDS and DocumentDB. It can automate password rotation and sync the changes to your databases to ensure your application is disrupted.

A common problem that is resolved using AWS Secrets Manager is storing database passwords within the application or in text files that can easily be accessed by unauthorized users. You can store the database passwords in AWS Secrets Manager and use the AWS CLI to retrieve them. These passwords can be changed on an automatic schedule and will update both the passwords stored with AWS Secrets Manager, as well as within the RDS databases. To allow your application to obtain these passwords from Secrets Manager, you will need to modify the code to allow your application...

In this chapter, we explored the key database security features that are offered by AWS. This included encryption, audit controls and monitoring, VPC security, and secure password storage.

We learned how to configure a VPC securely for our database and learned how to set a database in a private subnet that's protected by security groups that only allow access to authorized hosts. In addition, we learned how bastion hosts are used to provide administrative access to a database without exposing the database to the public internet.

Then, we looked at database encryption techniques and how to work with encrypted snapshots, including how to copy an encrypted snapshot between regions using customer-managed keys stored in AWS KMS.

Finally, we learned how to store secret database connection details and passwords using AWS Secrets Manager.

Database security is a major topic within the AWS Certified Database Specialty exam and there will be several questions about it...

This cheat sheet summarizes the key points from this chapter:

• AWS databases such as RDS and DynamoDB can be encrypted at rest and in transit.
• RDS uses SSL/TLS to encrypt data in transit, so you will need to download and install the right certificate in your application to allow it to connect.
• Databases should be placed in a private subnet within your VPC.
• You should use security groups to tightly control which source IPs are allowed to connect to the database. They should not be left as 0.0.0.0/0 (everywhere).
• Bastion hosts or jump boxes can be used to allow administrative traffic to the databases while maintaining a private subnet for the database.
• AWS Secrets Manager can store database credentials securely and rotate them on a schedule.
• Your applications can be written to request the password from AWS Secrets Manager rather than requiring the database password to be hardcoded within the application configuration files.
• Database auditing...

Now, let's practice a few exam-style questions:

1. You are advising a large financial company on the best strategy to migrate its on-premises MySQL database, application, and web servers. RDS MySQL is being considered as the target database engine. Access to the database should be limited to only the application servers and a bastion host.

Which solution meets these security requirements?

1. Provision the RDS MySQL database in a private subnet. Modify the login.cnf file on the RDS host to allow connections from only the application servers and bastion host.
2. Provision the RDS MySQL database in a public subnet. Create a new security group with inbound rules to allow connections from only the security groups of the application servers and bastion host. Attach the new security group to the DB instance.
3. Provision the RDS MySQL database in a private subnet. Create a new security group with inbound rules to allow connections from only the security groups...

To learn more about the topics that were covered in this chapter, take a look at the following resources:

• Using AWS Lambda with AWS Secrets Manager: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-secrets-manager/
• AWS Security Cookbook: https://www.packtpub.com/product/aws-security-cookbook/9781838826253