RDS 3

Question 1

Security

Is traffic encrypted in transit to RDS?

important

Answer 1

Not by default, but you can turn it on

Question 2

Security

Can you make encryption in transit mandatory?

important

Answer 2

Yes, even on a per-user basis

Question 3

Security

How does RDS encrypt data at rest?

important

Answer 3

KMS encryption of EBS volume.

Question 4

Security

How do you remove encryption after you turn it on?

important

Answer 4

Can’t: it’s EBS under the covers with KMS.

Question 5

Security

What is TDE?

important

Answer 5

Transparent Data Encryption: standard for databases doing encryption at rest from inside their products

Question 6

Security

Which databases support TDE?

important

Answer 6

Microsoft SQL Server and Oracle

Question 7

Security

Is TDE better or worse security than EBS-based?

Answer 7

Better: data is encrypted before it goes through the underlying OS

Question 8

Security

What’s the most secure way to encrypt at-rest in RDS?

important

Answer 8

Oracle with TDE backed by CloudHSM: AWS has no access to any key material

Question 9

IAM AuthN and AuthZ

How can you set up IAM for authorization with RDS databases?

important

Answer 9

Can’t: AuthZ controlled completely inside the database engine

Question 10

IAM AuthN and AuthZ

What databases support IAM-based AuthN?

Answer 10

Maria, MySQL, PostgreSQL

Question 11

IAM AuthN and AuthZ

How do you set up IAM-based AuthN on an RDS database?

Answer 11

Just turn it on for the database instance (console, SDK call)

Question 12

IAM AuthN and AuthZ

How do you set up a database user for IAM-based AuthN?

Answer 12

Instead of a password, use “identified with AWSAuthenticationPlugin as ‘RDS’” (just a user setting).

Question 13

IAM AuthN and AuthZ

How do you connect an IAM User or Role to a database user?

important

Answer 13

Policy attached maps to local RDS user