Does Lightsall encrypt the connection between the instance and the managed database?

0

Hello

I have always been very cautious about the security of database connections.

I'm using AWS Lightsall and I'm creating a MySQL database version 8.0.28 (in the Oregon Region). They are connected to instances in the same area as Lightsall. In summary, instances are distributed with managed databases.

Based on the above environment, does Lightsall encrypt the connection between the instance and the managed database (not between the client and the managed database)?

Best wishes

6 Answers
0

No, the connections traverse the private AWS Network but these communications aren't encrypted unless you enable TLS encryption for your MySQL connections from the application to the MySQL Database. You can find more about MySQL connection encryption in their official site

AWS
answered a year ago
0

Thank you!

I see the difference between the official AWS literature and the official MySQL literature for encryption methods for hosted databases, where the AWS literature lists SSL encryption methods and MySQL prefers TLS encryption. I believe the latter encryption method may be more secure. But this still doesn't clear up my confusion: they both encrypt the path from the database to the client (local computer), but there is no indication whether this encryption method covers the communication from the instance to the hosted database? After all, that's what I'm more concerned about!

karl

karl
answered a year ago
0

Hi Karl,

When SSL/TLS are two flavors of the same concept, where TLS is the most modern protocol. Many people use these two terms interchangeably although TLS is the most correct term to use. In your database you can configure which you want to use, you can read more in this AWS RDS support for encryption in this documentation

When you enable TLS encryption between client and database, all the communication is encrypted from the moment it leaves your application, to the moment it's received by the database engine. The connection is encrypted, so anyone sniffing in the middle can't read what's going on, they will see scrambled data going back and forth between your application and database.

AWS
answered a year ago
0

Hi Pablo Guzman

I haven't been over for a few days. So, as I feared, the communication between the instance and the database is unencrypted?

If the instance is not in the same region as the database, it requires the database to have networking mode on, if it is in the same region it does not; in the case of the latter, does this mean that their connection follows some kind of encryption mechanism?

Best wishes!

karl
answered a year ago
0

I think you are misunderstanding some concepts. The communication between the Application and the Database has, per the OSI model, 7 layers to it as it's seen in the following picture.https://www.imperva.com/learn/application-security/osi-model/ Image source: https://www.imperva.com/learn/application-security/osi-model/

When we talk about communication encryption we are making sure that the application data that's transmitted in that connection can't be understood by any device in the middle. However, at the TCP/UDP level there is no encryption of the network data itself (namely origin and destination of IP packages). So a device in the middle could see that the application is communicating with the database, but it can't see what information is being exchanged. As far as security goes this is what we aim for.

For example Payment Cards Industry Data Security Standard (PCI-DSS) which requires encryption in transit, just enabling TLS on the application connection to the database fulfills the transit data protection requirement.

To summarize, if you enable TLS at the application to database communication level, that fulfills the security standards related to data protection in transit.

AWS
answered a year ago
0

I see, thank you so much for sharing this useful knowledge! In addition, do I need to download the SSL certificates in advance and save them to the specified directory of the database server, and then call these certificates through the command? However, I am currently struggling to find a suitable SSH tool to connect to the database server. Can you recommend it?

Thanks!

karl
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions