A client has decided to go for a MySQL RDS database on the AWS cloud based on its Scalability & High Availability features.
When he does so, what role does he play in making the database secure? (Select TWO.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answers: A and E.
RDS is a managed service (Database As a Service) that allows the user to ease administrative tasks like Database software updates and Operating System patch updates.
Thus it helps the user concentrate more on the design/development of the database.
The instance class types(EC2 VM's) that support the database instance configuration are abstracted from the user since it is provided as a service.
All in all RDS offers automatic DB installation process, storage disk provisioning, Database upgrades, Security patches and backups of SQL Server databases.
In this scenario, we would like to know the tasks that a user can perform as a part of the Shared responsibility model for security in an RDS database.
Option A is CORRECT.
Security Groups can be used to control Ingress / Egress traffic flowing in & out of an RDS database instance.
A user can configure an Ingress security group rule for restricting traffic to certain IP addresses of an RDS port such as 3306.
Option B is incorrect.
Database instances are abstracted from the user & database software updates are managed by the service provider(AWS).
Option C is incorrect.
Since the instance types are abstracted from the user, the OS security patches are also controlled by the service provider (AWS).
Option D is incorrect.
Data encryption at rest is possible in an RDS instance.
However, using an EBS volume will not be possible since that will require much more control to the instance hosting the Database to mount an EBS volume.
RDS automatically manages storage disk provisioning.
It allows a user to select the storage type during database creation/modification time from the following types: General purpose SSD, Provisioned IOPS, Magnetic.
Option E is CORRECT.
Although RDS provides an automated backup facility, the user needs to enable it & plan for the window time where the backup process can be initiated.
RDS also provides the user with a facility to do manual backups (Point in time DB snapshots) which can be planned.
References:
https://aws.amazon.com/blogs/database/common-administrator-responsibilities-on-amazon-rds-and-aurora-for-postgresql-databases/ https://serverguy.com/comparison/pros-cons-rds-vs-ec2-mysql-aws/ https://www.percona.com/blog/2018/05/08/how-to-enable-amazon-rds-remote-access/As a client, you play a critical role in ensuring the security of your MySQL RDS database on the AWS cloud. The following are the two roles you play in making the database secure:
A. Restrict RDS access to the database by using a Security Group: A security group acts as a virtual firewall that controls inbound and outbound traffic for your RDS instance. You can use security groups to restrict access to your RDS instance by IP addresses, ports, and protocols. By using a security group, you can ensure that only authorized users have access to your RDS instance. Therefore, it is essential to configure a security group that only permits necessary traffic to and from the RDS instance.
D. Encrypt database data at rest by using EBS volume storage encryption: Encrypting data at rest helps prevent unauthorized access and makes it harder for attackers to steal data. Amazon RDS supports encryption of data at rest by using AWS Key Management Service (KMS) encryption keys. You can enable encryption when creating a new RDS instance or modify an existing instance to enable encryption. You can also use the Amazon RDS automated backup feature to encrypt backups of your RDS instance. EBS volume storage encryption provides an additional layer of encryption for data stored on the EBS volumes attached to the RDS instance.
Therefore, the client can make the database secure by restricting RDS access to the database by using a Security Group and encrypting database data at rest by using EBS volume storage encryption. It's worth noting that providing the most recent updates of database software and Operating System on the EC2 instance is the responsibility of AWS, and they ensure that the database software and Operating System are up-to-date with the latest security patches. The client should plan for backup and recovery strategies for data that may be lost, but it does not have any direct impact on the security of the database.