RDS & Aurora Security Overview

1. Data Encryption

At-Rest Encryption

• Encrypts database volumes using AWS Key Management Service (KMS).
• Master database and all replicas must be encrypted at launch.
• If the master database is unencrypted, read replicas cannot be encrypted.
• To encrypt an existing unencrypted database, follow these steps:
  1. Take a snapshot of the unencrypted database.
  2. Restore the snapshot as an encrypted database using KMS.

In-Transit Encryption

• TLS (Transport Layer Security) encryption is available by default.
• Clients must use AWS TLS root certificates to securely connect to RDS & Aurora.

2. Database Authentication

Traditional Authentication

• Supports the classic username/password method.

IAM Authentication

• AWS IAM can be used to authenticate instead of passwords.
• Example: EC2 instances with IAM roles can directly access RDS without credentials.
• Advantage: Centralized security management via AWS IAM policies.

3. Network Security

• Use AWS Security Groups to control access to RDS/Aurora.
• Security Groups allow/deny access based on:
  • Ports (e.g., 3306 for MySQL, 5432 for PostgreSQL).
  • IP addresses.
  • Other security groups.