1 00:00:00,210 --> 00:00:02,190 ‫Now, here is a quick lecture 2 00:00:02,190 --> 00:00:05,550 ‫around RDS and Aurora Security. 3 00:00:05,550 --> 00:00:07,980 ‫So you can encrypt the data at-rest 4 00:00:07,980 --> 00:00:10,140 ‫on your RDS and Aurora database. 5 00:00:10,140 --> 00:00:13,710 ‫That means that the data is encrypted on the volumes. 6 00:00:13,710 --> 00:00:16,080 ‫For this, you will be having the master 7 00:00:16,080 --> 00:00:19,740 ‫and any replica encrypted using KMS. 8 00:00:19,740 --> 00:00:22,020 ‫And this is defined at launch time 9 00:00:22,020 --> 00:00:24,390 ‫during the first launch of your database. 10 00:00:24,390 --> 00:00:27,390 ‫If somehow you haven't encrypted the master database, 11 00:00:27,390 --> 00:00:28,650 ‫the main database, 12 00:00:28,650 --> 00:00:31,650 ‫then the read replicas cannot be encrypted. 13 00:00:31,650 --> 00:00:33,930 ‫Also, if you wanted to encrypt 14 00:00:33,930 --> 00:00:36,750 ‫an already existing unencrypted database, 15 00:00:36,750 --> 00:00:39,870 ‫what you would have to do is to take a database snapshot 16 00:00:39,870 --> 00:00:41,760 ‫from that un-encrypted database, 17 00:00:41,760 --> 00:00:44,190 ‫and then you restore that database snapshot 18 00:00:44,190 --> 00:00:46,020 ‫as an encrypted database. Okay? 19 00:00:46,020 --> 00:00:50,280 ‫So you have to go through a snapshot and restore operation. 20 00:00:50,280 --> 00:00:51,540 ‫So this is for at-rest encryption. 21 00:00:51,540 --> 00:00:52,890 ‫Then you have in-flight encryption. 22 00:00:52,890 --> 00:00:56,160 ‫So between your clients and your database. 23 00:00:56,160 --> 00:00:59,400 ‫So each database on RDS and Aurora 24 00:00:59,400 --> 00:01:02,460 ‫is ready to have in-flight encryption by default. 25 00:01:02,460 --> 00:01:04,350 ‫And so therefore, your clients must 26 00:01:04,350 --> 00:01:07,890 ‫use the TLS root certificates from AWS. 27 00:01:07,890 --> 00:01:11,133 ‫They're provided on the AWS website. 28 00:01:12,390 --> 00:01:14,760 ‫In terms of database authentication. 29 00:01:14,760 --> 00:01:16,350 ‫Because this is RDS and Aurora, 30 00:01:16,350 --> 00:01:20,100 ‫you can use the classic combo of username and password. 31 00:01:20,100 --> 00:01:21,960 ‫But because it says AWS, 32 00:01:21,960 --> 00:01:25,590 ‫you can also use IAM roles to connect to your database. 33 00:01:25,590 --> 00:01:26,970 ‫That means that's, for example, 34 00:01:26,970 --> 00:01:29,340 ‫if you're EC2 instances had IAM roles, 35 00:01:29,340 --> 00:01:31,980 ‫they can authenticate to your database directly using that 36 00:01:31,980 --> 00:01:33,900 ‫and not a username and a password, 37 00:01:33,900 --> 00:01:36,450 ‫which can help you manage all the security 38 00:01:36,450 --> 00:01:39,030 ‫within AWS and IAM. 39 00:01:39,030 --> 00:01:41,970 ‫You can also control network access to your database 40 00:01:41,970 --> 00:01:43,500 ‫using security groups. 41 00:01:43,500 --> 00:01:46,470 ‫So you can allow or block specific ports, 42 00:01:46,470 --> 00:01:49,800 ‫specific IP, specific security groups. 43 00:01:49,800 --> 00:01:53,970 ‫And then finally RDS and Aurora do not have SSH access, 44 00:01:53,970 --> 00:01:55,920 ‫of course, because they're managed services, 45 00:01:55,920 --> 00:02:00,920 ‫except if you use the RDS custom service from AWS. 46 00:02:01,560 --> 00:02:03,480 ‫And if you wanted Audit Logs. 47 00:02:03,480 --> 00:02:05,550 ‫So to know what queries are being made 48 00:02:05,550 --> 00:02:07,620 ‫on RDS and Aurora over time 49 00:02:07,620 --> 00:02:09,240 ‫and what's happening on databases, 50 00:02:09,240 --> 00:02:11,100 ‫you can enable Audit Logs. 51 00:02:11,100 --> 00:02:13,680 ‫And then they will be lost after a bit of time. 52 00:02:13,680 --> 00:02:15,390 ‫Therefore, if you wanted to keep them 53 00:02:15,390 --> 00:02:17,640 ‫for a long period of time, 54 00:02:17,640 --> 00:02:20,940 ‫what you need to do is to send them into a dedicated service 55 00:02:20,940 --> 00:02:24,210 ‫called the CloudWatch Logs service on AWS. 56 00:02:24,210 --> 00:02:25,590 ‫So that's it for the short lecture 57 00:02:25,590 --> 00:02:29,520 ‫on the summary options for security, for RDS and Aurora. 58 00:02:29,520 --> 00:02:30,450 ‫I hope you liked it. 59 00:02:30,450 --> 00:02:32,400 ‫And I will see you in the next lecture.