AWS

AWS RDS Security

August 17, 2025 Larry Catt Leave a comment

AWS Relational Database Service (RDS) normally contain very sensitive organizational data thus requiring the need for security.

AWS provides security of RDS data in the following ways:

At-rest encryption:
- RDS databases and read replicas can be encrypted using AWS KMS, but must be defined at build time
- The main (read/write) RDS database needs to be encrypted inorder for the read replicas to be encrypted.
- To encrypt after RDS creation, you need to take RDS snapshot and restore to new encrypted RDS.

In-flight encryption:
- TLS by default, using AWS TLS root certificates on the client side.
IAM Authentication:
- Creation of IAM roles for access to RDS database instead of username and password.
Security Groups:
- Controls the network access to your RDS or Aurora databases.
No SSH available except on Custom RDS builds.
Audit logs can be enabled and sending audit logs to CloudWatch for additional retention periods

Leave a Reply Cancel reply

You must be logged in to post a comment.

Oracle tips and tricks.