Controlling Access to RDS Performance Insights


Course Introduction
RDS vs. EC2
RDS vs. EC2
DynamoDB Accelerator

The course is part of this learning path

Start course
4h 21m

This section of the AWS Certified Solutions Architect - Professional learning path introduces you to the AWS database services relevant to the SAP-C02 exam. We then understand the service options available and learn how to select and apply AWS database services to meet specific design scenarios relevant to the AWS Certified Solutions Architect - Professional exam. 

Want more? Try a Lab Playground or do a Lab Challenge

Learning Objectives

  • Understand the various database services that can be used when building cloud solutions on AWS
  • Learn how to build databases using Amazon RDS, DynamoDB, Redshift, DocumentDB, Keyspaces, and QLDB
  • Learn how to create ElastiCache and Neptune clusters
  • Understand which AWS database service to choose based on your requirements
  • Discover how to use automation to deploy databases in AWS
  • Learn about data lakes and how to build a data lake in AWS

Accessing Performance Insights requires appropriate permissions from the AWS Identity and Access Management service, IAM. If you're new to IAM, the default permission for services and features inside AWS is to have no permissions at all. It's an implicit deny. Permission must be explicitly granted.

To learn about IAM, see the Cloud Academy course "What is Identity and Access Management?"

Inside IAM, there are two options available for granting access to Performance Insights; an AWS managed policy or a custom policy. The policy must be applied to the appropriate user, group, or role in order to use Performance Insights.

The IAM managed policy AmazonRDSFullAccess includes access to Performance Insights. Using this policy has several benefits.

Created by AWS, it includes all of the permissions required to use Performance Insights and works without modification. Once attached to a user, group, or role, the feature will be available immediately. Also, being a managed policy, if new features are added, permissions will be added automatically.

A note of caution. Attaching the AmazonRDSFullAccess policy gives the holder unrestricted access to RDS in an account. Any policy that gives full access to a service violates the principle of least privilege. If you're new to the principles of security, least privilege is where users are limited to having only the permissions required to perform their job functions. To meet the principle of least privilege, create a custom IAM policy with only those permissions required to get work done.

A custom IAM policy can be created to give access to Performance Insights or an existing policy can be edited to include permissions. The action is to allow pi:* and, in this example, Performance Insights is available for all RDS databases.

To make this policy explicitly prevent access to Performance Insights, change the effect to Deny. As a general rule, avoid deny policies as they can be hard to troubleshoot. The resource statement defines which RDS database will be affected by this policy.

An ARN, or Amazon Resource Name, is used to uniquely identify an AWS resource. What's interesting with Performance Insights, is that, in the resource field, the ARN explicitly gives access to a metrics resource, not a resource.

Breaking down the ARN, it includes a partition name, the service, the region, account number, and a resource. For standard AWS regions, the partition is aws. The service identifies the AWS product. For Performance Insights, this is pi. The region, in this example, uses an asterisk to include all of them. The account is the AWS account ID number. Using an asterisk means any account. Though, this does not mean every account. It's not possible to give access to resources outside of your own account. In this case, the asterisk means the policy is portable within an organization.

The resource for Performance Insights is metrics. Then, it's followed by the service type, rds. If desired, it can be limited to a specific RDS database using an identifier. This example uses an asterisk to indicate any database. However, if there was a need to restrict this policy to a specific database, replace the final asterisk with a database identifier.

RDS instance identifiers can be found using the RDS console or using the Command Line Interface. To get a list of RDS instance identifiers with the AWS Command Line Interface, use the option describe-db-instances and query for the DBInstanceIdentifier.

The --query option limits the output to RDS database instances. The asterisk iterates over a list of database instances and the qualifier returns the instance identifier for each.

When creating IAM policies, follow the standard security practice of least privilege. Grant only those permissions required to perform a task.

Start with a minimum set of permissions and grant additional ones as needed. It takes more effort but is more secure than starting with lenient permissions and attempting to tighten them later. There are human elements to this as well. 

Starting with limited permissions minimizes the risk of an accidental security breach. The easiest way to clean up a mess is to prevent it being created.

Also, taking permissions away, even if unneeded, can feel like a punishment. It takes time and effort to create effective permissions. It's important to find the appropriate balance between security and usability. And the data you protect might be your own.

I've covered what Performance Insights is, how it is calculated, what it means, and how to control access to the data it creates. However, how much does it cost to use? In the next section, I'll cover the costs associated with using Performance Insights.

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.