RDS - Relational Database Service

AWS RDS - Relational Database Service

  • It is a managed database service for relational databases
  • It allows us to create databases in the cloud that are managed by AWS
  • RDS offerings provided by AWS:
    • PostreSQL
    • MySQL
    • MariaDB
    • Oracle
    • Microsoft SQL Server
    • Aurora
  • Advantages of AWS RDS over deploying an relational database on EC2:
    • RDS is a managed service, meaning:
      • Automated provisioning, OS patching
      • Continuous backups and restore to specific timestamp (Point in Time Restore)
      • Monitoring dashboards
      • Read replicas
      • Multi AZ setup
      • Maintenance windows for upgrades
      • Scaling capability (vertical and horizontal)
      • Storage backed by EBS (GP2 or IO)
  • Disadvantages:
    • No SSH into the instance which hosts the database

RDS Backups

  • Backups are automatically enabled in RDS
  • AWS RDS provides automated backups:
    • Daily fill backup of the database (during the maintenance window)
    • Transaction logs are backed-up by RDS every 5 minutes which provides the ability to do point in time restores
    • There is a 7 day retention for the backups which can be increased to 35 days
  • DB Snapshots:
    • There are manually triggered backups by the users
    • Retention can be as long as the user wants
    • Helpful for retaining the state of the database for longer period of time

RDS Read Replicas

  • Read replicas helps to scale the read operations
  • We can create up to 5 read replicas
  • These replicas can be within AZ, cross AZ or in different regions
  • The data between the main database and the read replicas is replicated asynchronously => reads are eventually consistent
  • Read replicas can be promoted into their own database
  • Use case for read replicas:
    • Production database is up and running taking on normal load
    • There is a new feature for running some reporting for analytics which may cause slow downs and may overload the database
    • To fix this we can create read replicas for reporting
  • Read replicas are used for SELECT operations (not INSERT, UPDATE, DELETE)
  • Network cost for read replicas:
    • In AWS there is network cost if data goes from one AZ to another
    • In case of cross AZ replication, additional costs may incur because of network traffic
    • To reduce costs, we could have the read replicas in the same AZ

RDS Multi AZ (Disaster Recovery)

  • RDS Multi AZ replication is done using synchronous replication
  • In case of multi AZ configuration we get one DNS name
  • In case of the main database goes down, the traffic is automatically re-routed to the failover database
  • Multi AZ is not used for scaling
  • The read replicas can be set up as Multi AZ for Disaster Recovery

RDS Security

Encryption
  • AWS RDS provides rest encryption: possibility to encrypt the master and read replicas with AWS KMS - AES-256 encryption
    • Encryption has to be defined at the launch time
    • If the master is not encrypted, the read replicas cannot be encrypted
    • Transparent Data Encryption (TDE) is available for Oracle and SQL Server
  • In-flight encryption: uses SSL certificates to encrypt data from client to RDS in flight
    • It is required SSL a trust certificate when connecting to database
    • To enforce SSL:
      • PostgeSQL: rds.force_ssl=1 in the AWS RDS Console (Parameter Groups)
      • MySQL: GRANT USAGE ON *.* To 'user'@'%' REQUIRE SSL;
  • Encrypting RDS backups:
    • Snapshots of un-encrypted RDS databases are un-encrypted
    • Snapshots of encrypted RDS databases are encrypted
    • We can copy an un-encrypted snapshot into an encrypted one
  • Encrypt an un-encrypted RDS database:
    • Create a snapshot
    • Copy the snapshot and enable encryption for the snapshot
    • Restore the database from the encrypted snapshot
    • Migrate application from the old database to the new one and delete the old database
Network Security and IAM
  • Network security:
    • RDS databases are usually deployed within a private subnet
    • RDS security works by leveraging security groups (similar to EC2), they control who can communicate with the database instance
  • Access management:
    • There are IAM policies which help control who can manage an AWS RDS database (through the RDS API)
    • Traditional username/password can be used to login into the database
    • IAM-based authentication can be used to login into MySQL and PostgreSQL
  • IAM authentication:
    • IAM database authentication works with MySQL and PostgreSQL
    • We don’t need a password to authenticate, just an authentication token obtained through IAM and RDS API calls
    • The token has a lifetime of 15 minutes
    • Benefits:
      • Network in/out must be encrypted using SSL
      • IAM is used to centrally manage users instead of DB credentials
      • We can manage IAM roles and EC2 instance profiles for easy integration

Security Summary

  • Encryption at rest:
    • It is done only when the database is created
    • To encrypt an existing database, we have create a snapshot, copy it as encrypted, and create an encrypted database from the snapshot
  • Our responsibility:
    • Check the ports/IP/security groups inbound rules
    • Take care of database user creation and permissions or manage them through IAM
    • Create a database with or without public access
    • Ensure parameter groups or DB is configured to only allow SSL connections
  • AWS responsibility:
    • DB patching
    • Underlying OS patching and updates