RDS - Relational Database Service
AWS RDS - Relational Database Service
- It is a managed database service for relational databases
- It allows us to create databases in the cloud that are managed by AWS
- RDS offerings provided by AWS:
- PostreSQL
- MySQL
- MariaDB
- Oracle
- Microsoft SQL Server
- Aurora
- Advantages of AWS RDS over deploying an relational database on EC2:
- RDS is a managed service, meaning:
- Automated provisioning, OS patching
- Continuous backups and restore to specific timestamp (Point in Time Restore)
- Monitoring dashboards
- Read replicas
- Multi AZ setup
- Maintenance windows for upgrades
- Scaling capability (vertical and horizontal)
- Storage backed by EBS (GP2 or IO)
- Disadvantages:
- No SSH into the instance which hosts the database
RDS Backups
- Backups are automatically enabled in RDS
- AWS RDS provides automated backups:
- Daily fill backup of the database (during the maintenance window)
- Transaction logs are backed-up by RDS every 5 minutes which provides the ability to do point in time restores
- There is a 7 day retention for the backups which can be increased to 35 days
- DB Snapshots:
- There are manually triggered backups by the users
- Retention can be as long as the user wants
- Helpful for retaining the state of the database for longer period of time
RDS Read Replicas
- Read replicas helps to scale the read operations
- We can create up to 5 read replicas
- These replicas can be within AZ, cross AZ or in different regions
- The data between the main database and the read replicas is replicated asynchronously => reads are eventually consistent
- Read replicas can be promoted into their own database
- Use case for read replicas:
- Production database is up and running taking on normal load
- There is a new feature for running some reporting for analytics which may cause slow downs and may overload the database
- To fix this we can create read replicas for reporting
- Read replicas are used for SELECT operations (not INSERT, UPDATE, DELETE)
- Network cost for read replicas:
- In AWS there is network cost if data goes from one AZ to another
- In case of cross AZ replication, additional costs may incur because of network traffic
- To reduce costs, we could have the read replicas in the same AZ
RDS Multi AZ (Disaster Recovery)
- RDS Multi AZ replication is done using synchronous replication
- In case of multi AZ configuration we get one DNS name
- In case of the main database goes down, the traffic is automatically re-routed to the failover database
- Multi AZ is not used for scaling
- The read replicas can be set up as Multi AZ for Disaster Recovery
RDS Security
Encryption
- AWS RDS provides rest encryption: possibility to encrypt the master and read replicas with AWS KMS - AES-256 encryption
- Encryption has to be defined at the launch time
- If the master is not encrypted, the read replicas cannot be encrypted
- Transparent Data Encryption (TDE) is available for Oracle and SQL Server
- In-flight encryption: uses SSL certificates to encrypt data from client to RDS in flight
- It is required SSL a trust certificate when connecting to database
- To enforce SSL:
- PostgeSQL: rds.force_ssl=1 in the AWS RDS Console (Parameter Groups)
- MySQL:
GRANT USAGE ON *.* To 'user'@'%' REQUIRE SSL;
- Encrypting RDS backups:
- Snapshots of un-encrypted RDS databases are un-encrypted
- Snapshots of encrypted RDS databases are encrypted
- We can copy an un-encrypted snapshot into an encrypted one
- Encrypt an un-encrypted RDS database:
- Create a snapshot
- Copy the snapshot and enable encryption for the snapshot
- Restore the database from the encrypted snapshot
- Migrate application from the old database to the new one and delete the old database
Network Security and IAM
- Network security:
- RDS databases are usually deployed within a private subnet
- RDS security works by leveraging security groups (similar to EC2), they control who can communicate with the database instance
- Access management:
- There are IAM policies which help control who can manage an AWS RDS database (through the RDS API)
- Traditional username/password can be used to login into the database
- IAM-based authentication can be used to login into MySQL and PostgreSQL
- IAM authentication:
- IAM database authentication works with MySQL and PostgreSQL
- We don’t need a password to authenticate, just an authentication token obtained through IAM and RDS API calls
- The token has a lifetime of 15 minutes
- Benefits:
- Network in/out must be encrypted using SSL
- IAM is used to centrally manage users instead of DB credentials
- We can manage IAM roles and EC2 instance profiles for easy integration
Security Summary
- Encryption at rest:
- It is done only when the database is created
- To encrypt an existing database, we have create a snapshot, copy it as encrypted, and create an encrypted database from the snapshot
- Our responsibility:
- Check the ports/IP/security groups inbound rules
- Take care of database user creation and permissions or manage them through IAM
- Create a database with or without public access
- Ensure parameter groups or DB is configured to only allow SSL connections
- AWS responsibility:
- DB patching
- Underlying OS patching and updates