🟢
RDS & Aurora Security
- At-rest encryption:
- Encrypts both the primary database and replicas using AWS KMS.
- Must be enabled at database creation time.
- If the primary DB is unencrypted, its replicas cannot be encrypted.
- To encrypt an unencrypted DB, take a snapshot and restore it as encrypted.
- In-flight encryption:
- TLS-enabled by default.
- Use AWS TLS root certificates on the client to establish secure connections.
- IAM Database Authentication:
- Allows connecting using IAM roles/tokens instead of static usernames and passwords.
- Security Groups:
- Control inbound and outbound network access to the DB instance/cluster.
- OS-level access:
- No SSH access for RDS or Aurora.
- Only RDS Custom allows OS-level access.
- Audit logging:
- Can be enabled and streamed to CloudWatch Logs for centralized monitoring and extended retention.