Database Security & Encryption

Encryption & Access Control

Encryption at Rest

AES-256 Encryption

AWS KMS managed encryption keys

Transparent Encryption

No application changes required

Creation Time Only

Must enable during database creation

Complete Coverage

Data, backups, snapshots, logs, replicas

Encryption in Transit

SSL/TLS Certificates

AWS-provided certificates for all engines

Force SSL Connections

Parameter groups enforce SSL usage

Certificate Rotation

Automatic certificate management

Application Config

Client-side SSL configuration required

SSL Configuration by Engine

MySQL/MariaDB

Force SSL with parameter groups

  • • require_secure_transport = 1
  • • Connection: ?useSSL=true
  • • Certificate validation optional

PostgreSQL

Enhanced SSL security options

  • • rds.force_ssl = 1
  • • Connection: ?sslmode=require
  • • Certificate validation recommended

Oracle & SQL Server

Native SSL/TLS support

  • • Built-in encryption options
  • • Advanced security features
  • • Enterprise-grade protection

IAM Authentication

No Database Passwords

Uses IAM credentials instead

Token-Based Auth

15-minute token lifetime

Centralized Management

Access control through IAM

Network Security

VPC Security Groups

Firewall rules at instance level

DB Subnet Groups

Multi-AZ private subnet placement

Private Subnets

Recommended for database isolation

Security Best Practices

Enable Encryption

At rest and in transit

Private Subnets

Database isolation

IAM Authentication

When possible

Secrets Manager

Credential management

Compliance

Compliance Programs

SOC, PCI DSS, HIPAA, FedRAMP

Audit Logging

Database-specific audit logs

CloudTrail Integration

API call logging and monitoring

Monitoring

Performance Insights

Query-level performance monitoring

Enhanced Monitoring

Real-time OS metrics

CloudWatch Integration

Custom dashboards and alerts

Security Exam Tips

  • • Encryption must be enabled at database creation time
  • • IAM authentication best for Lambda and low-connection applications
  • • Use parameter groups to force SSL connections
  • • Deploy databases in private subnets with proper security groups
  • • Enable Performance Insights and Enhanced Monitoring for compliance
ElastiCache Deep Dive Next: Database Monitoring & Performance