By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Making RDS secure

0

We have a DOTNET winform application. We are connecting to RDS which is public. How can we make it secure ?

2 Answers
1

Hello.

Where do you host your .NET Windows applications?
If it is hosted in the same VPC as RDS, such as EC2, please disable public access for RDS and configure the security group to only allow connections from EC2.
If you are hosting on-premises rather than EC2, I think it is a good idea to use a security group to restrict connections to only on-premises public IP addresses.
For on-premises applications, I think it's a good idea to use Site to Site VPN for private access instead of public access if possible.
It is also possible to encrypt communications using SSL connections.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

profile picture
EXPERT
answered 5 months ago
profile picture
EXPERT
reviewed 5 months ago
profile pictureAWS
EXPERT
reviewed 5 months ago
0

If your RDS database is publicly accessible and you are permitting access from all IP addresses (0.0.0.0/0 for IPv4 and/or ::/0 for IPv6), the most massive risk is that anyone who obtains or guesses valid credentials for your database can connect and access your data.

As Riku Kobayashi correctly advised, you should avoid making databases publicly accessible, if you can avoid it by using internal connectivity within or between your VPCs or from outside AWS over site-to-site VPN or other separately securable means of connecting.

However, if you are having to keep your database publicly accessible, the most meaningful security mechanism is to configure the RDS database's security group to allow connections only from trusted IP addresses that you know to require access legitimately. That's explained along with a simple diagram here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.Scenarios.html#USER_VPC.Scenario4

Secondly, when connections are made over the public internet, there may be a possibility of a third party eavesdropping on your network traffic and obtaining some of your sensitive data that way. Even when the security group prevents them from connecting to your database directly, they can still listen in on the data the legitimate users are writing to or reading from your database. To address that issue, you should enforce the use of TLS encryption and ensure that the clients connecting validate the TLS certificate of the database when connecting. That's explained in more detail in the documentation article Riku Kobayashi also linked to earlier: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

EXPERT
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions