Encrypting Data at Rest in AWS RDS MySQL - Best Practices and Implementation Methods

Easy Steps to Encrypt Data at Rest in AWS RDS MySQL

Prev Question Next Question

Question

Your company is planning on the following architecture for their application. · A set of EC2 Instances hosting the web part of the application. · A relational database for the backend using the AWS RDS MySQL service · A Load balancer for distribution of traffic There is a requirement to ensure that all data hosted in the database service is encrypted at rest.

How can you achieve this requirement in the easiest manner? (Select 2)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B and D.

The AWS Documentation mentions the following.

Option B is correct because, With RDS-encrypted resources, data is encrypted at rest, including the underlying storage for a database (DB) instance, its automated backups, read replicas, and snapshots.

This capability uses the open standard AES-256 encryption algorithm to encrypt your data, transparent to your database engine.

This encryption option protects against physical exfiltration or access to your data bypassing the DB instances.

Therefore, it is critical to complement encrypted resources with an effective encryption key management and database credential management practice to mitigate any unauthorized access.

Otherwise, compromised credentials or insufficiently protected keys might allow unauthorized users to access the plaintext data directly through the database engine.

Encryption key management is provided using the AWS KMS.

Option D is correct because Amazon RDS encrypts your databases using keys you manage with the AWS Key Management Service (KMS)

On a database instance running with Amazon RDS encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots.

RDS encryption uses the industry-standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS instance.

Options C is incorrect because this is used for the encryption of objects in S3.

Option A is incorrect since this can be easily achieved using the encryption at rest feature for AWS RDS.

The term 'rest' means when data is resting (not in transition-while data is traveling to the database.

For more information on Encryption for AWS RDS, please refer to the below URLs-

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/ https://aws.amazon.com/rds/features/security/

To ensure that all data hosted in the database service is encrypted at rest in the easiest manner, two options can be used - encrypt the underlying EBS volumes for the database or use the encryption feature for RDS.

A. Encrypt the underlying EBS volumes for the database: This option involves encrypting the Elastic Block Store (EBS) volumes that are used to store the data for the RDS MySQL service. EBS encryption uses AWS-managed keys, and it's a simple process to enable encryption for an EBS volume. Once enabled, all data written to the volume is automatically encrypted. However, this option has some limitations. For instance, if you're using Multi-AZ deployment for your RDS instance, you'll need to ensure that the EBS volumes are encrypted for both the primary and secondary instances.

B. Use the Encryption feature for RDS: RDS offers the ability to encrypt data at rest using the Encryption feature. When enabled, RDS uses AES-256 encryption to encrypt the data before it's stored on disk, and a unique key is used to encrypt each database instance. This key is then encrypted using a master key that's managed by AWS Key Management Service (KMS). Enabling encryption for RDS is a simple process, and it can be done either when you're creating a new database instance or by modifying an existing one. This option is the recommended method to encrypt RDS data as it's easy to enable, and it provides strong security.

C. Use S3 server-side encryption: S3 server-side encryption is not a suitable option for encrypting data at rest in the RDS MySQL service. S3 is an object storage service that's used to store and retrieve files, and it's not designed for storing data in a relational database.

D. Use AWS Key Management Service: AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the encryption keys used to encrypt data. KMS is used in conjunction with other AWS services, such as EBS and RDS, to provide encryption at rest. However, using KMS alone is not enough to encrypt RDS data. You'll also need to use one of the other options mentioned above, such as enabling encryption for RDS or encrypting the EBS volumes.

In conclusion, to achieve the requirement of encrypting all data hosted in the database service at rest, the easiest way is to use the encryption feature for RDS and encrypt the underlying EBS volumes for the database.