본문 바로가기
AWS Database

[AWS Certificate]-AWS Database Encryption, Security and Auditing

Clark Shim 2022. 1. 22. 16:44

AWS KMS (Key Management Service)

 

  • Anytime you hear "encryption" for an AWS Service, it's most likely KMS
  • Easy way to control access to your data, AWS manages keys for us
  • Fully integrated with IAM for authorization
  • Seamlessly integrated into:
    • Amazon EBS: encrypt volumes
    • Amazon S3: Server side encryption of objects
    • Amazon Redshift: encyrption of data
    • Amazon RDS: encryption of data
    • Amazon SSM: parameter store
    • Etc...
  • But you can also use the CLI / SDK

Copying Snapshots across regions

 

Cross Region Snapshots for Redshift Snapshot Copy Grant

 

Amazon Redshift snapshots - Amazon Redshift

RA3 clusters only emit RESTORE_STARTED and RESTORE_SUCCEEDED events. There is no explicit data transfer to be done after a RESTORE succeeds because RA3 node types store data in Amazon Redshift managed storage. With RA3 nodes, data is continuously transferr

docs.aws.amazon.com

  • In the destination AWS Region, create a snapshot copy grant by doing the following: 
    • Create a KMS key in the destination region
    • Specify a name for the snapshot copy grant. This name must be unique in that AWS Region for your AWS Account.
    • Specify the AWS KMS key ID for which you are creating the grant
  • In the source AWS Region, enable copying of snapshots and specify the name of the snapshot copy grant that you created in the destination AWS Region.

Encrypting an un-encrypted RDS Database

 

1. Take a snapshot of the RDS database 

   - The snapshot will be un-encrypted

 

2. Create an encrypted copy of the snapshot

  - Using the KMS key of your choosing

 

3. Restore a database from the encrypted snapshot

  - The database will be encrypted!

 

 

 

 

 

Database Logging - RDS

 

  • Engine log files available (Oracle, MSSQL, PostgreSQL, MySQL, MariaDB)
    • List log files: aws rds describe-db-log-files
    • Download log files: aws rds download-db-log-file-portion
  • Normal log retention in RDS up to 7 days (configurable per DB)
  • Logs can be published into CloudWatch Logs
    • you can perform real-time analysis of the log data
    • store the data in highly durable storage (retention period configurable / infinite)
    • From CloudWatch Logs you can export to S3
    • Must create a custom parameter group (can't modify default)

Database Logging - Aurora

 

  • Engine log files available (PostgreSQL, MySQL)
    • List log files: aws rds describe-db-log-files
    • Download log files: aws rds download-db-log-file-portion
  • Normal log retention in RDS up to 7 days (configurable per DB)
  • Logs can be published into CloudWatch Logs
    • you can perform real-time analysis of the log data
    • store the data in highly durable storage (retention priod configurable / infinite)
    • From CloudWatch Logs you can export to S3
    • Not avalable for transaction logs

Database Logging - Redshift

 

  • Amazon Redshift logs information about connections and user activities in your database ( for troubleshooting + audit)
    • Connection log - logs authentication attempts, and connections and disconnections.
    • User log - logs information about changes to database user definitions
    • User activity log - logs each query before it is run on the database.
  • The logs are stored in Amazon S3 buckets (must be enabled)
    • Set lifecycle policies accordingly
    • Ensure S3 bucket policies allows for Redshift to write to the bucket

Database Logging - DynamoDB

 

  • All API calls to DynamoDB are logged into CloudTrail
  • From CloudTrail you can send to:
    • CloudWatch Logs
    • Amazon S3 buckets
  • There are no "log files" in DynamoDB, it's a proprietary. technology

Database Logging - DocumentDB

 

  • You can audit DocumentDB Events (must opt in)
  • Examples of logged events
    • successful and failed authentication attempts
    • dropping a collection in a database
    • creating an index 
    • Data Definition Language(DDL)
  • Logs are sent into CloudWatch Logs
  • To opt in, set the audit_logs parameter to enabled (parameter group)

Database Logging - Other

 

  • ElastiCache: no logs to access yet
  • Neptune:
    • publicsh audit log data to a log group in Amazon CloudWatch Logs
    • Use the neptune_enable_audit_log parameter to enable (1) or disable (0)
  • QLDB:
    • No logs are accessible
  • DMS:
    • Can set task-logging level to LOGGER_SEVERITY_DETAILED_DEBUG (most detailed log)

AWS Secrets Manager

 

  • Newer service, meant for storing secrets
  • Capability to force rotation of secrets every X days
  • Uses a Lambda function
    • Generated by AWS for integrated DB types (Amazon RDS, Redshift, DocumentDB)
    • For other secrets, you need to code a Lambda function to generate the next secret
  • Secrets are encrypted using KMS
  • Mostly meant for RDS integration

Active Directory with RDS SQL Server

  • Use AWS Managed Microsoft AD
      - If you need to join your on-premiese AD, create a trust relationship
  • Create an IAM role with AmazonRDSDirectoryServiceAccess to access AWS Managed Microsoft AD
  • Create and configure users and groups in the AWS managed Microsoft AD Directory
  • Create a new or modify an existing Amazon RDS instance with
      - A reference to the IAM role that has access to the AD
      - A referenct to the AWS managed Microsoft AD
      - No need to stop the DB if you are modifying it
  • Ensure security groups alloow communication between RDS and Microsoft AD
  • Log in to the DB using the Master User Credentials and create logins

 

 

'AWS Database' 카테고리의 다른 글

[AWS Ceritificate]-Database Migration, DMS and SCT  (0) 2022.01.20
Comparison of AWS Database  (0) 2022.01.20
[AWS Certificate]-Athena & Quicksight  (0) 2022.01.15
[AWS Certificate]-Amazon Redshift  (0) 2022.01.14

'AWS Database' Related Articles

티스토리툴바