Skip to main content

Secure Your Amazon RDS Environment

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe Amazon RDS security controls.
  • Differentiate between automatic backups and manual snapshots.

Just as you learned to keep your cat photos safe in Amazon S3, you want to ensure that all the information about those cat photos stored in your database stays safe as well. In this unit, you use familiar security tools to secure your data in Amazon RDS. 

Work with Amazon RDS in an Amazon Virtual Private Cloud

When you create a DB instance, you select the Amazon Virtual Private Cloud (VPC) that your databases will live in. Then, you select the subnets that you want the DB instances to be placed in. This is referred to as a DB subnet group. To create a DB subnet group, you specify:

  • The Availability Zones (AZs) that include the subnets you want to add
  • The subnets in that AZ where your DB instance are placed

The subnets you add should be private so they don’t have a route to the internet gateway. This ensures your DB instance, and the cat data inside of it, can only be reached by the cat photo app backend.

Access to the DB instance can be further restricted by using network access control lists (ACLs) and security groups. With these firewalls, you can control, at a granular level, what type of traffic you want to allow into your database. 

Using these controls provide layers of security for your infrastructure. It reinforces that only the backend instances have access to the database.
Architecture diagram of the cat photo application and RDS database that supports it inside of a VPC.

The diagram above is an architecture of your current cat photo application with the addition of Amazon RDS. The application is running on an Amazon EC2 instance that is located in a public subnet in the VPC (AZ 1, 10.0.0.0/24). The application is supported by a primary RDS instance that is running in a private subnet inside the VPC (AZ 1, 10.0.4.0/22).

Use AWS Identity and Access Management (IAM) Policies to Secure Amazon RDS

Network ACLs and security groups allow you to dictate the flow of traffic. If you want to restrict what actions and resources your employees can access, you can use IAM policies.

Back Up Your Data

You don’t want to lose any of that precious cat information. To take regular backups of your RDS instance, you can use: 

  • Automatic backups
  • Manual snapshots

Automatic Backups

Automated backups are turned on by default. This backs up your entire DB instance (not just individual databases on the instance), and your transaction logs. When you create your DB instance, you set a backup window that is the period of time that automatic backups occur. Typically, you want to set these windows during a time when your database experiences little activity because it can cause increased latency and downtime.

You can retain your automated backups between 0 and 35 days. You might ask yourself, “Why set automated backups for 0 days?” The 0 days setting actually disables automatic backups from happening. Keep in mind that if you set it to 0, it will also delete all existing automated backups. This is not ideal, as the benefit of having automated backups is having the ability to do point-in-time recovery.

Choosing an automated backup to restore to a particular point in time.

If you restore data from an automated backup, you have the ability to do point-in-time recovery. Point-in-time recovery creates a new DB instance using data restored from a specific point in time. This restoration method provides more granularity by restoring the full backup and rolling back transactions up to the specified time range.

Manual Snapshots

If you want to keep your automated backups longer than 35 days, use manual snapshots. Manual snapshots are similar to taking EBS snapshots, except you manage them in the RDS console. These are backups that you can initiate at any time, that exist until you delete them.

For example, to meet a compliance requirement that mandates you to keep database backups for a year, you would need to use manual snapshots to ensure those backups are retained for that period of time. 

Screenshot of console dashboard where you create a manual snapshot of your RDS database.If you restore data from a manual snapshot, it creates a new DB instance using the data from the snapshot.

Which Backup Option Should I Use?

The answer, almost always, is both. Automated backups are beneficial for the point-in-time recovery. Manual snapshots allow you to retain backups for longer than 35 days. 

Wrap Up

You’ve learned how to keep your Amazon RDS database secure, using an Amazon VPC, IAM policies, and taking backups. In the next unit, you learn more about Amazon RDS, including managing scale and high availability.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback