Reputation: 329
Set up a connection to AWS RDS from a MySQL client using AMI as authentication layer.
I want to set up a connection to one of our AWS RDS instances to an external remote collaborator who wants to use a MySQL client (Toad).
I can set up a security group and access grants to the db, so to accept connections from their office IP, but this is a bit too exposed, and there is no user accountability. Alternatively we can create a VPN user to connect to our offices, but this has been far from ideal in the past and I prefer to research other options.
IAM provides a good security layer, but is it possible to use it as an authentication layer in this case?
Upvotes: 0
Views: 251
Answers (2)
Reputation: 13642
From a security standpoint, a white-listed IP and unique user(s) granted least privilege access within MySQL is the common security setup for these implementations, is quite secure and provides a complete level of user accountability, tracking and audit. You know each user access and it can only come from one IP. You know who that user is. You control what they can access in the DB.
I do not believe adding an IAM layer is possible, and even then it is still another form of user authentication and authorization, same as a MySQL login would provide.
At the end of the day, you need to trust this user to access your data in the manner in which you want to grant it. A white-listed IP and a unique login is very secure. With a SSL endpoint at RDS, data is also secure in transit. I do not see any unreasonable security risk at all. This setup is standard and mandated in any secure data environment, for example in payment processing in PCI compliant applications.
Any other implementation on top off this over-kill and adds admin burden without a lot of benefit, IMHO.
For further security, have each user sign off on a security policy that clearly describes the limits and scope of their access to the data, their obligation to secure the passwords of their account, not share accounts, etc. Trust is good, but a strong policy statement enforces proper behavior regarding the security of the data.
Upvotes: 1
Reputation: 14523
- Create a Jump Host EC2 instance and give that EC2 instance access to your RDS database so you will have to whitelist the IP address of EC2 instance and not the whole office.
- Create a SSH user for the person who is going to access the database on the Jump Host EC2 instance.
- Ask the person to connect to the Database using "Standard TCP/Ip over SSH" using Toad.
- This will achieve your use case of not whitelisting the whole office IP address and using SSH you can achieve user accountability.
Upvotes: 1
Related Questions
- AWS: can't connect to RDS database from my machine
- AWS RDS - IAM authentication implications?
- Connect to AWS RDS instance in VPC using local client
- Error connecting to RDS Postgreql DB from inside Docker container
- can AWS Lambda connect to RDS mySQL database and update the database?
- AWS RDS MySQL connection using IAM Role is not working
- How do we provide our AWS app with access to customers' resources without requiring their secret key?