Flexible, precise, and secure relational databases have been a part of most business IT infrastructures for a while now. Today, with the vast amount of information circling around the digital world, the demand for databases is larger than ever, but so are the offerings. In this three-part article, we will focus on the AWS Relational Database Service (RDS) offered by Amazon since 2009. We also take a look at some of its most important features, focusing on the information you should know before you begin using it. In part one, we start with security. We’ll explain how to best protect your data and your business in the process.
AWS Relational Database Service Overview
RDS offers a quick and easy way to provision databases in the Amazon cloud with just a few clicks. Since RDS is a managed service, all the infrastructure management is taken care of for you; scaling up or down is fairly simple, with six different database engines to choose from. If you prefer an open-source database, you can pick MySQL, MariaDB, or PostgreSQL. On the other hand, if your business requirements dictate the use of a commercial database, you can opt for either the Oracle or Microsoft SQL Server. You can also use Amazon Aurora, which offers both simplicity and reliability, while providing high throughput compared to other options. Aurora is also fully compatible with MySQL and PostgreSQL, allowing your existing applications to work as usual without any modification.
Of course, as with any other managed service, there are trade-offs to consider, so you need to understand the limitations of RDS, as well. For example, one of the biggest downsides is the inability to access the operating system on the host where the database is located. This prevents you from making changes to the database configuration, unless they are already exposed by RDS via console or API. Also keep in mind storage limits, as growing your database past the maximum size (SQL 4TB, MySQL/PostgreSQL/MariaDB/Oracle 6TB, Aurora 64TB) is not a simple task, and requires either sharding (horizontal partitioning of the data), archiving, or simply deleting data.
When you evaluate at IT infrastructure from a business standpoint, security is always your number one priority. When it comes to AWS, databases are run on instances within a VPC, so your network is the first layer of defense. If you are connecting to AWS from an on-premise data center, make sure you are using Direct Connect (a private dedicated connection between you and AWS) or a VPN. Utilizing Security Groups and Network Access Lists is also a must, no matter where you are connecting from. This ensures that only the IP addresses and ports you are using are allowed, and no one else can access your data.
During the creation of the database, you will assign a master user who will have full administration rights, but only use them to define other database users and grant them access. You also can choose whether your database will be publicly accessible or not. While keeping your database private (without a public IP) is better, unless you have a private connection to AWS or you connect only from within your cloud infrastructure, you will have to make the database public. In this case, use a restrictive security group for extra protection.
Securing access to your database is of great importance, but so is the protection of the data itself. RDS allows you to protect your data by using encryption, both in transit and at rest.
For encryption in transit, SSL is supported by all six database engines. RDS will create a certificate and install it on an instance when it is provisioned. You can download the public key from Amazon and use it to encrypt your connection in order to secure the traffic between you and the database on AWS.
Encryption at rest is also supported by every database engine run by RDS and is applied not only to the instance storage, but also to read replicas, automated backups, and snapshots. Encryption at rest is handled by AWS Key Management Service (KMS) and is enabled during the provisioning of the database. When the instance is up and running, it will request a data key (each database will have its own unique key) from KMS and will use it to encrypt the data.
Encryption is also important when it comes to compliance, so make sure you enable it when setting up your database.
Changing your RDS Encryption Key
Keep in mind, you can update your RDS encryption key by using a workaround utilizing your snapshots.
The process to clone an existing encrypted Amazon RDS DB instance to a new encrypted RDS DB instance with a different encryption key is fairly simple. Note that you will not be able to change the existing encryption key of an already encrypted RDS DB instance. You must use the copy snapshot process to change the encryption key and then restore the snapshot to a new encrypted instance with the new key. The steps to accomplish this are detailed in this video here.
Backing up your RDS instances with N2WS Backup and Recovery
N2WS Backup and Recovery (CPM) makes it very easy to automate backups of your RDS instances. CPM is a native cloud backup, recovery and disaster recovery solution for Amazon EC2 instances, EBS volumes, RDS databases and Redshift Clusters. It utilizes AWS EBS and RDS snapshots, directly connecting to users’ AWS infrastructure to perform automated backups. To learn more about CPM and how to give your team the ability to back up data as often as needed and recover it far more quickly, you can try our 30-day free trial.
The ability to quickly provision fully-managed databases will benefit most businesses. For Ops, it means no infrastructure maintenance, and for Dev less dependence on others as they can create everything they need with minimum AWS experience. With multiple database engines on offer, both commercial and open-source, but with high-end features to keep your data protected, RDS is a diverse service and an easy choice for AWS customers. In part two of this article, we will continue our features overview and take a closer look at RDS monitoring.