Introduction to AWS MySQL Security on RDS : Network

Mysql

Nowadays everything is getting digitalized and migration toward the cloud is at its peak. There is a high chance of data leaks if we don’t tighten the security of the Database servers. It is mandatory to secure the database by restricting access to Database. Although we have restricted the access. We need to monitor the activity of the user to prevent the unwanted usage of data.

Security will be split into three layers

Network-level security.OS level security.Database level security.

OS level security will be handled by the AWS team. Since It is managed by the AWS Team. So all the security patching, minor version upgrades of OS, and kernel tuning will be governed by the AWS infra team.

Network-level security and database-level security are owned by the end user.

Security OwnershipNetwork-level securityCloud UserOS level securityAWS TEAMDatabase level securityCloud User

Network-level security:

When looking at network-level security VPC (Virtual Private Cloud) will come into the picture.

VPC (Virtual Private Cloud) :

VPC is used to do IP level restrictions to the instance. We are defining the IP range for the VPC. The VPC will be isolated and dedicated to the AWS account. By default, AWS will create an instance with default VPC, but it has both private and public subnet groups. We can create our own VPC and configure the instance using that.

We can have different VPCs for staging and production as well. To have an isolated network for both an environment.

Under VPC, we need to take care subnet and the security group.

Subnet :

IP range will be vast, we won’t use all those IP ranges. Instead of that, we can organize our IP range. We can use different ranges for different projects and it will be isolated to each range. So it will be more secure. But we should make sure we are using a private subnet instead of a public one. To avoid public access to DB. Based on the subnet, the IP will be get allocated for the instance created.

Security group :

The security group is like a firewall, which controls the incoming and outing traffic of the instance. Instead of allowing all the IP and the port access to Database. We can restrict the connectivity using the security group. As a standard and secure process, it is always suggested to whitelist only the required port and IP instead of allowing all IPs. If an application is running in a box, we should whitelist only the application host IP with port 3306 (MySQL port) instead of all the ports and IP.

Network Security Flow :

In the upcoming blog, we will discuss more about the database level security and how to monitor user activity inside the database.