AWS -RDS Security Best Practices
Different Levels of Database Security
There are different levels of securing your databases, including:
Data Level Security: The process of protecting the data itself from getting stolen or tampered with in the servers.
System Level Security: Protecting networking servers, hardware and other inbound/outbound communications from acting as a funnel to distribute malicious software.
User Level Security: A server is always attacked from a user level, which is why organizations rely on real-time protection software to monitor transactions and also restrict the user from visiting unauthorized websites or downloads from untrusted sources.
Amazon RDS has multiple features that enhance reliability for critical production databases, including DB security groups,
Permissions Identity and Access Management (IAM) accounts to control access to Amazon RDS API operations,
RDS instances aren’t publicly accessible.
SSL/TLS connections, Secure Socket Layer (SSL) or Transport Layer Security (TLS)
enabled encryption for your RDS instances
Automated backups,
DB snapshots, and multi-AZ deployments.
DB instances can also be deployed in an Amazon VPC for additional network isolation
Security of the cloud-->Third-party auditors regularly test and verify the effectiveness of our security .
Security in the cloud -->
Run your DB instance in a virtual private cloud (VPC) based on the Amazon VPC service for the greatest possible network access control.
(IAM) policies to assign permissions that determine who is allowed to manage Amazon RDS resources. For example, you can use IAM to determine who is allowed to create, describe, modify, and delete DB instances, tag resources, or modify security groups.
Use security groups to control what IP addresses or Amazon EC2 instances can connect to your databases on a DB instance. When you first create a DB instance, its firewall prevents any database access except through rules specified by an associated security group.
Use Secure Socket Layer (SSL) or Transport Layer Security (TLS) connections with DB instances running the MySQL, MariaDB, PostgreSQL, Oracle, or Microsoft SQL Server database engines.
RDS encryption to secure your DB instances and snapshots at rest. Amazon RDS encryption uses the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your DB instance.
network encryption and transparent data encryption with Oracle DB instances;