One of the great advantages of Amazon’s RDS (Relational Database Service) is the ease with which it allows users to set up and run an affordable cloud-based relational database. This does not mean, however, that once created it needs no attention – it is always vital that users are aware of the need to follow best practices applicable to security groups in AWS RDS. Here we look at these in more detail.
The virtual firewall which Amazon has in place to protect your cloud-based traffic needs to be managed in a slightly different way to traditional firewalls, using security groups rather than the typical policies you may be familiar with. The key differences to know about are that all AWS rules are positive, and that the AWS system requires users to choose between identifying either a source or a destination for traffic on a single rule as it is the security group which decides which is appropriate.
This is a good way to keep things tidy, so if you want to change or add to something later you can be sure of avoiding any mistakes.
This greatly reduces the chance of an account being threatened after a security group has been misconfigured.
Following standard protocol for naming the aws rds security group sets is by far the easiest way to keep things organized, and this habit should be in place from the start.
By setting these up to monitor and record all entries – whether successful or not, a quick scan is enough to easily identify anything unusual or sinister going on.
These are an upgrade on the older option of inline policies. The advantages of making the switch/decision include being able to manage all permissions from one place, the option to place policies into categories, a much simpler permission update system, and the option to add extra managed policies to groups, roles or users as you wish.
You should do this manually from time to time, alongside using an automated program for backup. It’s best to be strict about this, to avoid security black holes.
Use the AWS Identity and Access Management system to make the crucial decisions on exactly who in your company can do what. For example, who can create a security group? Remember that for the very best level of security access should only ever be granted to anyone beyond what is absolutely necessary.
Incoming access through open ports 0.0.0.0/0 in any security group potential exposes your entire cloud data and resources to serious threats from many outside sources.