Amazon RDS and client MySQL database securely

Question

My company is looking at changing our application to start to use cloud database. Currently clients have a database install locally, this local database will turn into a cloud database. That means that each client will have their own database. We also cannot control the network of all of our clients, so using Amazon VPC to control it is kind of out of the question.

I have been searching around and it seems the database will need to a public database, since clients may have DHCP IP address.

What is the best way to secure a database? Using SSL for the connection is obvious. Using strong username and password for MySQL is also obvious. Changing the default port to something else, sure. What else should be done?

Answer 1

You've already hit most of the low hanging fruit (using SSL, strong passwords, etc). Since VPC's are out of the question about the only other thing that immediately comes to mind is configuring the security group(s) for the database(s) as strictly as possible. If you know your clients will always be connecting from a single IP or a subnet associated with that client then only allow connections to the RDS instance from those IPs/subnets. But if you need to keep access to the database open to most of the internet then what you outlined is pretty much the only options you have.

Unfortunately doing things like enabling two-factor authentication in mysql requires the ability to install PAM modules, edit the my.cnf file for the server, etc. and those things just aren't possible with RDS since it's a fully managed database solution.