Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
The Relational Database Service (RDS) offered by AWS is designed to streamline the deployment, operation, and scaling of a relational database in the cloud. This service offers the advantages of cost efficiency and scalability while automating labor-intensive tasks like hardware provisioning, database configuration, patching, and backups.
AWS RDS supports various widely-used relational database engines including MySQL, PostgreSQL, MariaDB, Oracle Database, Microsoft SQL Server, and Amazon Aurora, with compatibility for both MySQL and PostgreSQL.
Key features of RDS include:
Management of database instances is simplified.
Creation of read replicas to enhance read performance.
Configuration of multi-Availability Zone (AZ) deployments to ensure high availability and failover mechanisms.
Integration with other AWS services, such as:
AWS Identity and Access Management (IAM) for robust access control.
AWS CloudWatch for comprehensive monitoring and metrics.
AWS Key Management Service (KMS) for ensuring encryption at rest.
When creating the DB cluster the master username can be configured (admin by default). To generate the password of this user you can:
Indicate a password yourself
Tell RDS to auto generate it
Tell RDS to manage it in AWS Secret Manager encrypted with a KMS key
There are 3 types of authentication options, but using the master password is always allowed:
By default no public access is granted to the databases, however it could be granted. Therefore, by default only machines from the same VPC will be able to access it if the selected security group (are stored in EC2 SG)allows it.
Instead of exposing a DB instance, it’s possible to create a RDS Proxy which improves the scalability & availability of the DB cluster.
Moreover, the database port can be modified also.
Encryption is enabled by default using a AWS managed key (a CMK could be chosen instead).
By enabling your encryption, you are enabling encryption at rest for your storage, snapshots, read replicas and your back-ups. Keys to manage this encryption can be issued by using KMS. It's not possible to add this level of encryption after your database has been created. It has to be done during its creation.
However, there is a workaround allowing you to encrypt an unencrypted database as follows. You can create a snapshot of your unencrypted database, create an encrypted copy of that snapshot, use that encrypted snapshot to create a new database, and then, finally, your database would then be encrypted.
Alongside the encryption capabilities inherent to RDS at the application level, RDS also supports additional platform-level encryption mechanisms to safeguard data at rest. This includes Transparent Data Encryption (TDE) for Oracle and SQL Server. However, it's crucial to note that while TDE enhances security by encrypting data at rest, it may also affect database performance. This performance impact is especially noticeable when used in conjunction with MySQL cryptographic functions or Microsoft Transact-SQL cryptographic functions.
To utilize TDE, certain preliminary steps are required:
Option Group Association:
The database must be associated with an option group. Option groups serve as containers for settings and features, facilitating database management, including security enhancements.
However, it's important to note that option groups are only available for specific database engines and versions.
Inclusion of TDE in Option Group:
Once associated with an option group, the Oracle Transparent Data Encryption option needs to be included in that group.
It's essential to recognize that once the TDE option is added to an option group, it becomes a permanent fixture and cannot be removed.
TDE Encryption Modes:
TDE offers two distinct encryption modes:
TDE Tablespace Encryption: This mode encrypts entire tables, providing a broader scope of data protection.
TDE Column Encryption: This mode focuses on encrypting specific, individual elements within the database, allowing for more granular control over what data is encrypted.
Understanding these prerequisites and the operational intricacies of TDE is crucial for effectively implementing and managing encryption within RDS, ensuring both data security and compliance with necessary standards.
There are ways to access DynamoDB data with SQL syntax, therefore, typical SQL injections are also possible.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
