Making RDS secure

We have a DOTNET winform application. We are connecting to RDS which is public. How can we make it secure ?

Topics

Migration & Modernization Analytics Database .NET on AWS

Tags

Amazon Relational Database Service Database .NET on AWS

Language

English

Arjun

asked a month ago168 views

2 Answers

Newest
Most votes
Most comments

Hello.

Where do you host your .NET Windows applications?
If it is hosted in the same VPC as RDS, such as EC2, please disable public access for RDS and configure the security group to only allow connections from EC2.
If you are hosting on-premises rather than EC2, I think it is a good idea to use a security group to restrict connections to only on-premises public IP addresses.
For on-premises applications, I think it's a good idea to use Site to Site VPN for private access instead of public access if possible.
It is also possible to encrypt communications using SSL connections.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

EXPERT

Riku_Kobayashi

answered a month ago

EXPERT

Oleksii Bebych

reviewed a month ago

EXPERT

Didier_Durand

reviewed a month ago

If your RDS database is publicly accessible and you are permitting access from all IP addresses (0.0.0.0/0 for IPv4 and/or ::/0 for IPv6), the most massive risk is that anyone who obtains or guesses valid credentials for your database can connect and access your data.

As Riku Kobayashi correctly advised, you should avoid making databases publicly accessible, if you can avoid it by using internal connectivity within or between your VPCs or from outside AWS over site-to-site VPN or other separately securable means of connecting.

However, if you are having to keep your database publicly accessible, the most meaningful security mechanism is to configure the RDS database's security group to allow connections only from trusted IP addresses that you know to require access legitimately. That's explained along with a simple diagram here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.Scenarios.html#USER_VPC.Scenario4

Secondly, when connections are made over the public internet, there may be a possibility of a third party eavesdropping on your network traffic and obtaining some of your sensitive data that way. Even when the security group prevents them from connecting to your database directly, they can still listen in on the data the legitimate users are writing to or reading from your database. To address that issue, you should enforce the use of TLS encryption and ensure that the clients connecting validate the TLS certificate of the database when connecting. That's explained in more detail in the documentation article Riku Kobayashi also linked to earlier: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

EXPERT

Leo K

answered a month ago

Relevant content

we have a requirement to connect docker to aurora mysql in rds
AWS-User-4586895
asked 2 years ago
Can we make username=sub?
Accepted Answer
Amplify_lover
asked 2 years ago
What control over RDS Aurora Serverless V2 buffer cache/cache do we have? It is causing issues when users make GET requests before we have written to the DB, returning emtpy sets for some time.
Oisin
asked 10 months ago
can we connect RDS based SQL Database by putty
Accepted Answer
rePost-User-3274391
asked 2 years ago
How can I make a private Amazon Redshift cluster publicly accessible?
AWS OFFICIALUpdated 2 years ago
How can I configure private and public Aurora endpoints in the Amazon RDS console?
AWS OFFICIALUpdated 2 months ago
How can I connect to a private Amazon RDS DB instance from a local machine using an Amazon EC2 instance as a bastion host?
AWS OFFICIALUpdated 2 years ago
How can I troubleshoot connectivity to an Amazon RDS DB instance that uses a public or private subnet of a VPC?
AWS OFFICIALUpdated 2 years ago
Announcement: RDS/Aurora SSL/TLS Certificates are expiring between May and October 2024
EXPERT
randyyoung
published 5 months ago
How can we map entire AWS VPC CIDR to a single IP address using Private NAT Gateway via AWS Site to Site VPN connection.
EXPERT
Narinder Singh Kharbanda
published a year ago