CODEWITHSUNDEEP
amazon-web-servicesamazon-rdsamazon-aurora
suganology
suganology

Reputation: 93

AWS RDS encryption allows yielding plain text with mysql-client access

I'm bit newbie on AWS, and my mission is to make sure all the data in RDS's specific database encrypted.

I created sample RDS db instance with encryption enabled, (and make it accessible globally in order to simulate exploitation procedure).

Then, once I created the DB instance, with mysql-client, when I access to the data,

+---------+---------+
| column1 | column2 |
+---------+---------+
| orange  | hawaii  |
+---------+---------+

all the data is not cipher text but plaintext. I expected something like this:

+----------+---------+
| column1  | column2 |
+----------+---------+
| abj12b7  | bb2ce11 |
+----------+---------+

plus, also when mysqldump tried, i can get raw data.

So my question is: what this RDS's encryption option is for? How to confirm that the data in RDS are encrypted and in which workflow this encryption assures of your safety? Actually, not sure how this encryption works.... because i can see plain text data with usual mysql-client access....

Are there any conceivable risks or exploit scenario when i don't encrypt storage in RDS?

Upvotes: 3

Views: 1128

Answers (2)

Chris Williams
Chris Williams

Reputation: 35258

RDS encryption is used for encrypting the storage in which your data resides on.

Amazon RDS encrypted DB instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. You can use Amazon RDS encryption to increase data protection of your applications deployed in the cloud, and to fulfill compliance requirements for data-at-rest encryption.

Any external sources attempting to gain physical access to the disk would not be able to, without having access to your KMS master key.

If you want the individual values in your MySQL DB to encrypted this will require you to encrypt using your own client side key before writing the data to the database.

Regarding any risks, you can mitigate access to your RDS database both from a networking point of view (keep it private) and a credential point of view. Some people use Secrets Manager to rotate database credentials. By doing this no one should have access to the live credentials which further restricts access from individuals.

Here's a great article on RDS and how it uses encryption.

Upvotes: 3

gusto2
gusto2

Reputation: 12087

The native aws encryption is transparent, effectively the underlying storage is encrypted. Indeed if you properly access the DB with your credentials, you will get back plain data.

If you want to encrypt data on the application level, you will have to do it yourself (you may still use KMS for master key management).

We see similar questions from time to time and - imagine if the all data would be encrypted as you did describe, you would have no means to search or query anything without decrypting the whole database (or at least searchable / indexed columns)

Upvotes: 1

Related Questions