Reputation: 1314
security implications of mysql aws security group set up
I have an ec2 instance where I have installed mysql. The server listens to connections from any ip (bind-address = 0.0.0.0).
I have set up the mysql security group in such a way that only my webapp instances can connect remotely to the mysql db. For this I added a webapp-sg security group to my instance (webapp-sg restricts to http, https and ssh) Then for my mysql instance, I simply used the webapp-sg group as the "source". I have verified that 1. I can not remotely log in from outside ec2 instances 2. Within ec2 instance, I have to be on an ec2-instance that has the security group =webapp-sg
However, traffic between the webapp instance and mysql db would still be in clear text. What are the implications? (I see many articles that recommend the above set up). Do people use "Mysql over ssl" for this - I suspect that would have performance implications? Or does aws vpc resolve this?
Upvotes: 0
Views: 1340
Answers (1)
Reputation: 1145
Short answer: this is the recommended way to operate. Go for it.
Longer: It depends. Depends on the level of the security your app requires, and amount of work, complexity, availability and maintenance you are willing to spend. While theoretically it is advised that any inter-machine traffic should be encrypted, especially on a multi-tenant environment like public clouds - AWS has spent a lot of effort to make their basic security groups offering a solid one. see 'Network Security' chapter
That, would make both eavesdropping or packet-spoofing very unlikely. If you'll be realistic, there is a greater chance (by orders of magnitude) that hackers could use your web app bugs and vulnerabilities as the primary attack vector.
Also probable, is a the chance of security groups misconfiguration. Dedicated services like Dome9 and Newvem might assist in getting insights and in managing you security configurations. (disclosure - I'm Dome9 co-founder)
Last, VPC. While not architectually much different from EC2, it is recommended since it brings more configuration power, and a 2nd method to enforce your policy (Network ACLs). This might introduce some complexity and more maintenance, but can reduce misconfiguration effects.
Upvotes: 3
Related Questions
- AWS Security Group Best Practice
- AWS security groups and Virtual private cloud
- AWS RDS MySQL database username and password sufficient for commercial security
- How to secure EC2 server with just MySQL on it?
- AWS SQS and Security Groups
- AWS security groups between accounts
- MySQL, Remote connection and security
- Securing a web server with local MySQL database
- Understanding EC2 Security Groups
- AWS Security Groups - EC2 to RDS