AWS Database Authentication & Access Controls
The course is part of these learning paths
This course covers the different options available to you to enable you to authenticate to your Amazon RDS and Amazon DynamoDB Databases. You'll learn about the difference between authentication and authorization, as well as Identity and Access Management, and how to authenticate to Amazon RDS, and DynamoDB.
If you have any feedback relating to this course, feel free to contact us at firstname.lastname@example.org.
- Define the differences between authentication and authorization
- Understand the key components of IAM used for access control and authentication
- Learn the authentication methods used to access RDS databases across different DB engines
- Learn the authentication controls of Amazon DynamoDB
This course has been designed to assist those who are responsible for securing, designing, and operating AWS Database solutions. It is also ideal for anyone who is looking to take the AWS Certified Database - Specialty exam.
To get the most out of this course, you should have a basic awareness of AWS database services, in addition to AWS Identity & Access Management.
Hello and welcome to the final lecture of this course which will summarize the key points taken from the previous lectures.
I began this course by explaining the difference between Authentication and Authorization, and during this lecture, I explained that
- Authentication consists of two parts of information. The first part defines who you are, such as your IAM user name, which has to be unique. The second part verifies that you are who you say you are in the first step, in this case by providing a password
- Authorization only takes place once an identity has been authenticated
- Authorization is the process in which a system you have authenticated to establishes what you can access and at what level.
- Each identity can have a different level of authorized permissions associated with it
- So in a nutshell, Authentication identifies and verifies who you are. Authorization determines what an identity can access within a system once it has authenticated to it.
Next, I gave a high-level overview of some of the IAM controls which play a big part in access control, not just for Amazon Databases, but across the board within your AWS account.
In this lecture we learned that:
- IAM Users are objects created to represent an identity.
- They can have AWS Management Console or programmatic access via the AWS CLI
- Permissions can be assigned to user objects granting access to resources
- IAM Groups are objects much like user objects, but they are not used in any authentication process.
- They are used to authorize access to AWS resources, through the use of AWS Policies.
- Groups are normally created that relate to a specific requirement or job role.
- Users that are a member of a group inherit the permissions applied to the group
- IAM Roles allow users and other AWS services and applications to adopt a set of temporary IAM permissions to access AWS resources.
- IAM Policies are used to assign permissions to users, groups, and roles and are written as JSON documents
- Each policy contains at least one statement with an Action, Effect, and Resource parameters
- Policies can be Managed or Inline
- Managed policies can be AWS Managed, AWS Managed - Job Function or Customer Managed
Next, we started looking at Amazon RDS and the different authentication that could be used. During this lecture I explained that:
- There are a number of different ways that you can authenticate yourself to RDS, including IAM database authentication, using password authentication, or by using Kerberos authentication
- IAM database authentication can be used with MySQL, PostgreSQL, and Aurora database engines
- It uses an authentication token instead of a password to connect your database resource.
- IAM database authentication is not the default authentication option
- It can be enabled or disabled
- The authentication token only lasts for 15 minutes before a new one is generated.
- You can centralize access control within IAM instead of across multiple different database instances
- IAM Database Authentication is not available on ALL versions of the DB engine types
- Password Authentication is supported by all database engines and is the default method of authenticating to your database instances.
- Your database instance that manages the security of your user accounts
- Password Authentication integrates with AWS Secrets Manager
- Password and Kerberos Authentication works with Microsoft active directory and is supported by MySQL, PostgreSQL, Aurora PostgreSQL, and Oracle DB engines.
- Kerberos is a network authentication technology that is used by Microsoft and is often used for single-sign on (SSO) implementations and authenticates users to network resources
- Using credentials stored in Active Directory, you can authenticate through AD or by using credentials that are stored in AWS Directory Service for MS AD.
In the last lecture, I then looked at how authentication is managed with Amazon DynamoDB. Here I covered the following points:
- Amazon DynamoDB authenticates you through IAM permissions to access its resources
- DynamoDB only supports identity-based policies
- DynamoDB has 3 main resources, Tables, Indexes and Streams
- Compared to Amazon RDS, the authentication options are much simpler with DynamoDB, it is purely based upon AWS IAM Identity-based policies.
That now brings me to the end of this lecture and to the end of this course, and so you should now have a greater understanding of the different authentication and access control methods that can be used when accessing Amazon RDS and DynamoDB databases.
Feedback on our courses here at Cloud Academy is valuable to both us as trainers and any students looking to take the same course in the future. If you have any feedback, positive or negative, it would be greatly appreciated if you could contact email@example.com.
Thank you for your time and good luck with your continued learning of cloud computing. Thank you.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 90+ courses relating to Cloud reaching over 100,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.