AWS : Database Specialty Exam — Part 5

A Quick Review for Database Security

Part 5: Database Security (18% of exam)

• Encrypt data at rest and in transit.
• Determine authentication & authorization for users and roles
• Determine auditing strategies
• Recognize potential network security vulnerabilities.

1 — What is the fastest way to encrypt an unencrypted Amazon Aurora DB Cluster ?

Restore an unencrypted Aurora DB cluster snapshot to an encrypted Aurora DB cluster.

Note — You can’t convert an unencrypted DB cluster to an encrypted cluster directly.

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html#Overview.Encryption.Limitations

2 — Amazon RDS instance is associated with a DB subnet group with private subnets and without an Internet gateway. It is configured with security groups to allow traffic to and from the application servers only. The master key used to encrypt the database at rest is managed using AWS KMS.

How the Database Specialist provide additional security to RDS ?

Enable SSL in the RDS DB instance and encrypt data in transit.

https://aws.amazon.com/blogs/database/applying-best-practices-for-securing-sensitive-data-in-amazon-rds/

3 — According to the security requirements, the Database Specialist needed to capture the activity of Amazon DynamoDB table and create an audit trail of the modifications made to the items.

Which action should the Database Specialist take to meet these requirements ?

Write a Lambda function that polls the DynamoDB stream, and delivers records to Kinesis Data Firehose, then stores in Amazon S3 Standard bucket.

https://aws.amazon.com/blogs/database/dynamodb-streams-use-cases-and-design-patterns/

4 — Amazon ElastiCache cluster for Redis is used as distributed cache layer by various applications running in AWS.

How should the Database Specialist do to protect cluster from unauthorized access ?

Configure the clients to use the Redis AUTH when connecting to the cluster.

Note — Redis authentication tokens enable Redis to require a password before allowing clients to run commands, thereby improving data security.

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html

5 — The developer wants the database credentials configured for the Web Application to change every 30 days.

How should the Database Specialist take to enforce this rule without breaking the Application ?

Use AWS Secrets Manager to store credentials and enable Automatic Rotation

Note — AWS Secrets Manager offers built-in integrations for MySQL, PostgreSQL, and Amazon Aurora on Amazon RDS, and can rotate credentials for these databases natively. To retrieve secrets, employees replace plaintext secrets with a call to Secrets Manager APIs, eliminating the need to hard-code secrets in source code or update configuration files and redeploy code when secrets are rotated.

https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/

Related Articles

• AWS Database Specialty Exam — Part 1
• AWS Database Specialty Exam — Part 2
• AWS Database Specialty Exam — Part 3
• AWS Database Specialty Exam — Part 4
• AWS Database Specialty Exam — Part 5

Reference

• [Udemy] AWS Certified Database Specialty Practice Exam