This document summarizes a webinar about MySQL security on AWS RDS given by Praveen GR and Madhavan GS from Mydbops. The webinar covered topics like network security using VPC, identity and access management using IAM users, enabling audit logs to CloudWatch, encryption using AWS KMS and S3 encryption, and using secrets from Secret Manager. Mydbops is an AWS partner that provides consulting, managed, and support services for open source databases like MySQL, MongoDB, and PostgreSQL.

1. Praveen GR & Madhavan GS
Associate database consultant,
Mydbops
September 25th, 2021
Mydbops 9th MyWebinar
MySQL Security on AWS RDS

2. Active Tech Speaker
Certified in MySQL 5.7 DBA
Associate database consultant
Working on MySQL cloud based and on-prem
Expertise on MySQL cluster and load balancer
About Praveen GR

3. Interested in Databases
Cloud database
Active Learner
Certified in MySQL 5.7
About Madhavan GS

4. Services on top open source databases
Founded in 2016
50 Member team
Assisted over 500+ Customers
AWS Partner and a PCI Certified Organisation
About Mydbops

5. Consulting
Services
Managed
Services
Focuses on Top Opensource database MySQL,
MongoDB and PostgreSQL
Mydbops Services

6. 500 + Clients In 5 Yrs. of Operations
Our Clients

7. Why security?

8. Security
1. Attack
2. Data breaching
3. Unwanted access
4. File system leakage
5. Defined credentials
6. Protect backup/snapshot

9. Agenda
1. Network security.
2. IAM user.
3. Audit log to cloud watch.
4. AWS KMS Encryption.
5. Secret Manager.
6. S3 Encryption.

10. Network security
VPC (Virtual Private Cloud)

11. VPC (Virtual Private Cloud)
Network security
Subnet
Private access
Security group

12. VPC (Virtual Private Cloud)
1. VPC
IP restriction to connectivity.
2. Subnet
The organisation of the IP range.
3. Security Group
Inbound and outbound rule.

13. VPC (Virtual Private Cloud)
VPC configuration

14. Identity and Access Management
(IAM)

15. Identity and Access Management (IAM)
User for login both console and DB servers.
Roles
Multiple users in a group.
Password policy.
Programmatic access.

16. Identity and Access Management (IAM)
User Creation

17. Identity and Access Management (IAM)

18. Identity and Access Management (IAM)
User ARN (Amazon Resource Name)
Each individual has their own ARN, which will be unique among the
account.
Eg : arn:aws:iam::066******07680:user/Praveen
arn:partition:service:region:account:resource
service identifies the AWS product. IAM resources always use iam.
region identifies the Region of the resource. For IAM resources, this is always
kept blank.
account specifies the AWS account ID with no hyphens or the alias for the
AWS account.
the resource identifies the specific resource by name.

19. Login with IAM user to DB
Prerequisite :
Enable IAM authentication in the server.
IAM users should have rds-db:connect policy.
The policy should attach to EC2 roles as well.
CLI should be configured in the host box.

20. Login with IAM user to DB
Step 1: User creation in MySQL
Step 2: Provide required access to DB servers.
Step 3: Create an authentication token (valid for 15 minutes )

21. Login with IAM user to DB
Step 4 : Login using the token

22. Audit log to cloudwatch

23. Audit log in RDS
1. Logging the server login details.
2. Only for the required user.
3. Only for the required query type.
Note : MySQL version > 5.7 and above 8.0.25 in MySQL 8

24. Enable in option group
1. Create option Group.
2. Enabling audit plugin in option Group.
3. Applying option group to instance.
Note : No downtime is required.

25. Audit options
1. SERVER_AUDIT_EVENTS - CONNECT, QUERY, QUERY_DDL,
QUERY_DML, QUERY_DCL, QUERY_DML_NO_SELECT
2. SERVER_AUDIT_EXCL_USERS
3. SERVER_AUDIT_FILE_ROTATE_SIZE
4. SERVER_AUDIT_FILE_ROTATIONS
5. SERVER_AUDIT_INCL_USERS
6. SERVER_AUDIT_LOGGING

26. Enabling cloudwatch log exporter
1. RDS will maintain only 1 day of log.
2. Cloud watch log exporter to store and view in GUI
3. Cloud watch log exporter supports error, audit, general and slow log
for RDS.
4. Retention is adjustable. (max of 10 years)

27. Enabling cloudwatch exporter
1. Enable by modifying the instance
2. Access it from configuration option

28. Enabling cloudwatch exporter
3. sample logs

29. Enabling cloudwatch exporter
4. Log retention under log group

30. AWS KMS Encryption

31. AWS KMS Encryption
1. Protect your data using cryptographic keys.
2. Create and manage cryptographic keys.
3. Uses the key specific region or other region or another AWS account.
4. Disk level encryption.

32. Features KMS Encryption
1. Symmetric and Asymmetric keys.
2. KMS Key Rotation.
3. Custom Managed Keys and AWS Managed Keys.

33. Symmetric and Asymmetric algorithm.
1. Symmetric algorithm uses secret key for both encryption as well decryption.
- AES comes with 128, 192, or 256-bit keys in Galois/Counter Mode (GCM)
2. Asymmetric algorithm uses public key for encryption and private key for decryption.
- encrypt based on Elliptic Curve Cryptography (ECC) algorithm.

34. Encryption and Decryption Flow
Ciphertext is typically the output of an encryption algorithm operating
on plaintext. Ciphertext is unreadable without knowledge of the algorithm
and a secret key.

35. KMS Key Rotation
1. KMS give key rotation policy
2. Older key will be disabled once rotation and present in Console to decrypt older data.
3. Key rotation occurs every year in custom Managed keys
4. Key rotation occurs 3 years in AWS Managed keys

36. Create KMS key

37. Create KMS key

38. Create KMS key

39. Hands on
Creating instance with KMS

40. Limitation
1. Encrypted data will have encrypted backup
2 . Encrypted master can create encrypted replica only.
3. Encrypted to Non encrypted replication can't be configured.
4. Encrypted data can be view only view via KMS key after decryption.
5. It is a paid.

41. Secret Manager

42. Secret Manager
1. It protect secrets credentials of DB, application and company resources.
2. We can rotate credentials,manage and retrieve credentials.
3. We can encrypt the secret credentials.
4. Rotation secret values
5. AWS version should greater than 1.15.8 to perform CLI operation
cmd : aws --version to check version

43. How to create secret Manager

44. How to create secret Manager

45. Get the secret key from console

46. Get the secret key from console

47. Get the secret key from console

48. AWS CLI to describe credentials

49. AWS CLI to get-secret-value credentials

50. Limitation
1. It supports upto file size of 20 KB.
2. GetSecretValue supports upto 1500 API per second.
3. It is a paid. $0.40 per secret per month$0.05 per 10,000 API calls

51. S3 Encryption

52. S3 Encryption
1. Protect the data in the bucket using Encryption keys.
2. Server-Side Encryption (SSE-S3/ SSE-C)
3. Client-Side Encryption (server-side / client-side master key)

53. Server-Side Encryption
1. SSE-S3 - Encrypted with a unique key. Unique will encrypt the key with
root key. Root key will regularly rotate. Key will be managed by AWS.
2. SSE-KMS - same as SSE-S3 but provides an audit trail.
3. SSE-C - Key are managed by customer and s3 manages the encryption.
Note : If the key is lost from customer end. Data is lost.

54. Client-Side Encryption
1. Server-side master key
- customer need to provide key and store in AWS Managed server.
- Encryption will be managed by AWS.
2. client-side master key
- customer need to provide key for root key
- one-time-use symmetric key (data key) for each object
- Amazon S3 saves the encrypted data key as object metadata

55. Create bucket with encryption

56. S3 Encryption via CLI

57. S3 Encryption validation

58. Reach Us : Info@mydbops.com
Thank You