- Newest
- Most votes
- Most comments
Hello.
Where do you host your .NET Windows applications?
If it is hosted in the same VPC as RDS, such as EC2, please disable public access for RDS and configure the security group to only allow connections from EC2.
If you are hosting on-premises rather than EC2, I think it is a good idea to use a security group to restrict connections to only on-premises public IP addresses.
For on-premises applications, I think it's a good idea to use Site to Site VPN for private access instead of public access if possible.
It is also possible to encrypt communications using SSL connections.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
If your RDS database is publicly accessible and you are permitting access from all IP addresses (0.0.0.0/0 for IPv4 and/or ::/0 for IPv6), the most massive risk is that anyone who obtains or guesses valid credentials for your database can connect and access your data.
As Riku Kobayashi correctly advised, you should avoid making databases publicly accessible, if you can avoid it by using internal connectivity within or between your VPCs or from outside AWS over site-to-site VPN or other separately securable means of connecting.
However, if you are having to keep your database publicly accessible, the most meaningful security mechanism is to configure the RDS database's security group to allow connections only from trusted IP addresses that you know to require access legitimately. That's explained along with a simple diagram here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.Scenarios.html#USER_VPC.Scenario4
Secondly, when connections are made over the public internet, there may be a possibility of a third party eavesdropping on your network traffic and obtaining some of your sensitive data that way. Even when the security group prevents them from connecting to your database directly, they can still listen in on the data the legitimate users are writing to or reading from your database. To address that issue, you should enforce the use of TLS encryption and ensure that the clients connecting validate the TLS certificate of the database when connecting. That's explained in more detail in the documentation article Riku Kobayashi also linked to earlier: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
Relevant content
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago