Hello and welcome to this lecture which will discuss some of the methods used to control access and authentication to RDS databases.  

When working with Amazon RDS there are a number of different ways that you can authenticate yourself to your database: via IAM database authentication, just using password authentication, or by using Kerberos authentication.

When working with the MySQL, PostgresQL and Aurora database engines in RDS you can authenticate to the database using IAM database authentication, which uses an authentication token instead of a password to connect your database resource.

IAM database authentication is not the default option when creating your MySQL or PostgresQL database.  However, you can select it during the RDS database instance creation as seen here:

If you already have your database running then you can still enable it, either via the AWS Management Console, or the AWS CLI.  If using the AWS Management Console then you simply need to select your database from within RDS, and select the ‘Modify’ option, and then make the necessary changes before applying the changes.  

If using the AWS CLI, you can use the modify-db-instance command in conjunction with --enable-iam-database-authentication

One point to note is that even if you have IAM database authentication enabled, you can still use the pre-configured password as well.

The authentication token that is generated only lasts for 15 minutes before a new one is generated. The benefit of the access token is that you do not need to store any credentials within RDS as the token is managed by IAM, and so it is totally external to RDS.

As a result, you can centralize your access control within IAM instead of across multiple different database instances that you might be running, each with its own set of credentials.  And for those that are concerned with the credentials being sent over the network, they are in fact encrypted using SSL/TLS for additional protection.

IAM Database Authentication is not available on ALL versions of the DB engine types, so be sure to check your version is compatible before you architect your security model with your AWS databases.  

When using IAM Authentication, you need to ensure that the correct permissions are applied to the user through the methods discussed in the previous lecture.  

Next, we have the option of using Password Authentication, which is supported by all database engines and is the default method of authenticating to your database instances.  With password authentication, it’s your database instance that manages the security of your user accounts which can easily be created using SQL statements such as CREATE USER and IDENTIFIED BY.  The following MySQL Statement would create a new user called stuart and generate a password of mypassword.

Using Password Authentication has the added benefit of being able to integrate with another AWS Service called Secrets Manager.  For those unfamiliar with AWS Secrets Manager, it is a great service to enhance your security posture by allowing you to remove any hard-coded secrets within your application and replacing them with a simple API call to secrets manager which then services the request with the relevant secret. As a result, AWS Secrets Manager acts as a single source of truth for all your secrets across all of your applications.

AWS Secrets Manager enables the ease of rotating secrets and therefore enhancing the security of that secret. An example of this could be your database credentials. Other secret types can also have automatic rotation enabled through the use of lambda functions, for example, API keys. 

Being an enhanced security service, it also offers integration with other key AWS services such as KMS, the Key Management Service which is used to encrypt your secrets within AWS Secrets Manager. 

The final option includes the use of Kerberos with Microsoft active directory and is supported by MySQL, PostgresQL, Aurora PostgresQL, and Oracle DB engines.

Kerberos is not referenced much when talking about AWS so you might be unfamiliar with what it is.  Kerberos is a network authentication technology that is used by Microsoft and is often used for single-sign on (SSO) implementations and authenticates users to network resources, and in this case, to Amazon RDS.  It uses a symmetric key cryptography, which means a single key is used to both encrypt and also decrypt data which prevents the need to send passwords over the network.

Utilizing SSO features and utilizing credentials stored in Active Directory, you can authenticate through AD before accessing RDS.  Or, you could also authenticate by using credentials that are stored in AWS Directory Service for MS AD.