1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Understanding AWS Database Authentication & Access Controls

Authenticating to Amazon RDS

Contents

keyboard_tab
Course Introduction
1
Introduction
PREVIEW2m 10s
Course Conclusion
6
Summary
4m 58s

The course is part of these learning paths

Working with AWS Databases
course-steps
18
certification
3
lab-steps
10
AWS Security, Identity & Compliance
course-steps
23
certification
2
lab-steps
7
Start course
Overview
Difficulty
Intermediate
Duration
24m
Students
252
Ratings
5/5
starstarstarstarstar
Description

This course covers the different options available to you to enable you to authenticate to your Amazon RDS and Amazon DynamoDB Databases. You'll learn about the difference between authentication and authorization, as well as Identity and Access Management, and how to authenticate to Amazon RDS, and DynamoDB.

If you have any feedback relating to this course, feel free to contact us at support@cloudacademy.com.

Learning Objectives

  • Define the differences between authentication and authorization  
  • Understand the key components of IAM used for access control and authentication
  • Learn the authentication methods used to access RDS databases across different DB engines
  • Learn the authentication controls of Amazon DynamoDB

Intended Audience

This course has been designed to assist those who are responsible for securing, designing, and operating AWS Database solutions. It is also ideal for anyone who is looking to take the AWS Certified Database - Specialty exam.

Prerequisites

To get the most out of this course, you should have a basic awareness of AWS database services, in addition to AWS Identity & Access Management.

Transcript

Hello and welcome to this lecture which will discuss some of the methods used to control access and authentication to RDS databases.  

When working with Amazon RDS there are a number of different ways that you can authenticate yourself to your database: via IAM database authentication, just using password authentication, or by using Kerberos authentication.

When working with the MySQL, PostgresQL and Aurora database engines in RDS you can authenticate to the database using IAM database authentication, which uses an authentication token instead of a password to connect your database resource.

IAM database authentication is not the default option when creating your MySQL or PostgresQL database.  However, you can select it during the RDS database instance creation as seen here:

If you already have your database running then you can still enable it, either via the AWS Management Console, or the AWS CLI.  If using the AWS Management Console then you simply need to select your database from within RDS, and select the ‘Modify’ option, and then make the necessary changes before applying the changes.  

If using the AWS CLI, you can use the modify-db-instance command in conjunction with --enable-iam-database-authentication

One point to note is that even if you have IAM database authentication enabled, you can still use the pre-configured password as well.

The authentication token that is generated only lasts for 15 minutes before a new one is generated. The benefit of the access token is that you do not need to store any credentials within RDS as the token is managed by IAM, and so it is totally external to RDS.

As a result, you can centralize your access control within IAM instead of across multiple different database instances that you might be running, each with its own set of credentials.  And for those that are concerned with the credentials being sent over the network, they are in fact encrypted using SSL/TLS for additional protection.

IAM Database Authentication is not available on ALL versions of the DB engine types, so be sure to check your version is compatible before you architect your security model with your AWS databases.  

When using IAM Authentication, you need to ensure that the correct permissions are applied to the user through the methods discussed in the previous lecture.  

Next, we have the option of using Password Authentication, which is supported by all database engines and is the default method of authenticating to your database instances.  With password authentication, it’s your database instance that manages the security of your user accounts which can easily be created using SQL statements such as CREATE USER and IDENTIFIED BY.  The following MySQL Statement would create a new user called stuart and generate a password of mypassword.

Using Password Authentication has the added benefit of being able to integrate with another AWS Service called Secrets Manager.  For those unfamiliar with AWS Secrets Manager, it is a great service to enhance your security posture by allowing you to remove any hard-coded secrets within your application and replacing them with a simple API call to secrets manager which then services the request with the relevant secret. As a result, AWS Secrets Manager acts as a single source of truth for all your secrets across all of your applications.

AWS Secrets Manager enables the ease of rotating secrets and therefore enhancing the security of that secret. An example of this could be your database credentials. Other secret types can also have automatic rotation enabled through the use of lambda functions, for example, API keys. 

Being an enhanced security service, it also offers integration with other key AWS services such as KMS, the Key Management Service which is used to encrypt your secrets within AWS Secrets Manager. 

The final option includes the use of Kerberos with Microsoft active directory and is supported by MySQL, PostgresQL, Aurora PostgresQL, and Oracle DB engines.

Kerberos is not referenced much when talking about AWS so you might be unfamiliar with what it is.  Kerberos is a network authentication technology that is used by Microsoft and is often used for single-sign on (SSO) implementations and authenticates users to network resources, and in this case, to Amazon RDS.  It uses a symmetric key cryptography, which means a single key is used to both encrypt and also decrypt data which prevents the need to send passwords over the network.

Utilizing SSO features and utilizing credentials stored in Active Directory, you can authenticate through AD before accessing RDS.  Or, you could also authenticate by using credentials that are stored in AWS Directory Service for MS AD.

About the Author
Avatar
Stuart Scott
AWS Content Director
Students
144268
Labs
1
Courses
121
Learning Paths
87

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 90+ courses relating to Cloud reaching over 140,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.