Controlling Access to RDS Performance Insights
Start course

This course covers the core learning objective to meet the requirements of the 'Designing Database solutions in AWS - Level 3' skill

Learning Objectives:

  • Analzy targert AWS database platforms when performing a migration
  • Create and deploy an enterprise-wide scalable RDS Database solition to meet and exceed workload performance expectations
  • Create an AWS database slution to withstand AWS global infrastructure outages with minimal data loss

Accessing Performance Insights requires appropriate permissions from the AWS Identity and Access Management service, IAM. If you're new to IAM, the default permission for services and features inside AWS is to have no permissions at all. It's an implicit deny. Permission must be explicitly granted.

To learn about IAM, see the Cloud Academy course "What is Identity and Access Management?"

Inside IAM, there are two options available for granting access to Performance Insights; an AWS managed policy or a custom policy. The policy must be applied to the appropriate user, group, or role in order to use Performance Insights.

The IAM managed policy AmazonRDSFullAccess includes access to Performance Insights. Using this policy has several benefits.

Created by AWS, it includes all of the permissions required to use Performance Insights and works without modification. Once attached to a user, group, or role, the feature will be available immediately. Also, being a managed policy, if new features are added, permissions will be added automatically.

A note of caution. Attaching the AmazonRDSFullAccess policy gives the holder unrestricted access to RDS in an account. Any policy that gives full access to a service violates the principle of least privilege. If you're new to the principles of security, least privilege is where users are limited to having only the permissions required to perform their job functions. To meet the principle of least privilege, create a custom IAM policy with only those permissions required to get work done.

A custom IAM policy can be created to give access to Performance Insights or an existing policy can be edited to include permissions. The action is to allow pi:* and, in this example, Performance Insights is available for all RDS databases.

To make this policy explicitly prevent access to Performance Insights, change the effect to Deny. As a general rule, avoid deny policies as they can be hard to troubleshoot. The resource statement defines which RDS database will be affected by this policy.

An ARN, or Amazon Resource Name, is used to uniquely identify an AWS resource. What's interesting with Performance Insights, is that, in the resource field, the ARN explicitly gives access to a metrics resource, not a resource.

Breaking down the ARN, it includes a partition name, the service, the region, account number, and a resource. For standard AWS regions, the partition is aws. The service identifies the AWS product. For Performance Insights, this is pi. The region, in this example, uses an asterisk to include all of them. The account is the AWS account ID number. Using an asterisk means any account. Though, this does not mean every account. It's not possible to give access to resources outside of your own account. In this case, the asterisk means the policy is portable within an organization.

The resource for Performance Insights is metrics. Then, it's followed by the service type, rds. If desired, it can be limited to a specific RDS database using an identifier. This example uses an asterisk to indicate any database. However, if there was a need to restrict this policy to a specific database, replace the final asterisk with a database identifier.

RDS instance identifiers can be found using the RDS console or using the Command Line Interface. To get a list of RDS instance identifiers with the AWS Command Line Interface, use the option describe-db-instances and query for the DBInstanceIdentifier.

The --query option limits the output to RDS database instances. The asterisk iterates over a list of database instances and the qualifier returns the instance identifier for each.

When creating IAM policies, follow the standard security practice of least privilege. Grant only those permissions required to perform a task.

Start with a minimum set of permissions and grant additional ones as needed. It takes more effort but is more secure than starting with lenient permissions and attempting to tighten them later. There are human elements to this as well. 

Starting with limited permissions minimizes the risk of an accidental security breach. The easiest way to clean up a mess is to prevent it being created.

Also, taking permissions away, even if unneeded, can feel like a punishment. It takes time and effort to create effective permissions. It's important to find the appropriate balance between security and usability. And the data you protect might be your own.

I've covered what Performance Insights is, how it is calculated, what it means, and how to control access to the data it creates. However, how much does it cost to use? In the next section, I'll cover the costs associated with using Performance Insights.

About the Author
Learning Paths

Stephen is the AWS Certification Specialist at Cloud Academy. His content focuses heavily on topics related to certification on Amazon Web Services technologies. He loves teaching and believes that there are no shortcuts to certification but it is possible to find the right path and course of study.

Stephen has worked in IT for over 25 years in roles ranging from tech support to systems engineering. At one point, he taught computer network technology at a community college in Washington state.

Before coming to Cloud Academy, Stephen worked as a trainer and curriculum developer at AWS and brings a wealth of knowledge and experience in cloud technologies.

In his spare time, Stephen enjoys reading, sudoku, gaming, and modern square dancing.