Amazon RDS for SQL Server supports forced SSL to enhance data protection for database instances
Amazon Web Services (AWS) added on Monday Secure Sockets Layer (SSL) to enforce encrypted connections between client applications and Amazon RDS DB instances running Microsoft SQL Server. SSL support is available in all AWS regions for all supported SQL Server editions.
With Amazon RDS, users can create DB instances and DB snapshots, point-in-time restores, and automated or manual backups. DB instances running SQL Server can be used inside a VPC. Users can also use SSL to connect to a DB instance running SQL Server, and can use TDE to encrypt data at rest.
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizeable capacity for an industry-standard relational database and manages common database administration tasks.
Amazon RDS currently supports Multi-AZ deployments for SQL Server using SQL Server Mirroring as a high-availability, failover solution. In order to deliver a managed service experience, Amazon RDS does not provide shell access to DB instances, and it restricts access to certain system procedures and tables that require advanced privileges.
Amazon RDS supports access to databases on a DB instance using any standard SQL client application such as Microsoft SQL Server Management Studio. Amazon RDS does not allow direct host access to a DB instance via Telnet, Secure Shell (SSH), or Windows Remote Desktop Connection. When creating a DB instance, clients are assigned to the db_owner role for all databases on that instance, and will have all database-level permissions except for those that are used for backups.
Amazon RDS creates an SSL certificate for your SQL Server DB instance when the instance is created. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks. Clients must note that all SQL Server instances created after Aug. 5, 2014, uses the DB instance endpoint in the Common Name (CN) field of the SSL certificate. Prior to Aug. 5, 2014, SSL certificate verification was not available for VPC-based SQL Server instances.
In case, the user has a VPC-based SQL Server DB instance that was created before Aug. 5, 2014, and want to use SSL certificate verification, then they must ensure that the instance endpoint is included as the Common Name for the SSL certificate for that DB instance and then rename the instance. When renaming a DB instance, a new certificate is deployed and the instance is rebooted to enable the new certificate.
The basic building block of Amazon RDS is the DB instance. A DB instance is an isolated database environment in the cloud. A DB instance can contain multiple user-created databases, and users can access it by using the same tools and applications that are used with a stand-alone database instance. Users can create and modify a DB instance by using the Amazon AWS command line interface, the Amazon RDS API, or the AWS Management Console.
Each DB instance runs a DB engine. Amazon RDS currently supports the MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server DB engines. Each DB engine has its own supported features, and each version of a DB engine may include specific features. Additionally, each DB engine has a set of parameters in a DB parameter group that control the behavior of the databases that it manages.
The computation and memory capacity of a DB instance is determined by its DB instance class. Users can select the DB instance that best meets their needs, and if these needs change over time, the DB instances can be altered.
For each DB instance, users can select from 5 GB to 6 TB of associated storage capacity. Each DB instance class has minimum and maximum storage requirements for the DB instances that are created from it. It’s important to have sufficient storage so that databases have room to grow and that features for the DB engine have room to write content or log entries.
Amazon RDS uses DB security groups, VPC security groups, and EC2 security groups. In simple terms, a DB security group controls access to a DB instance that is not in a VPC, a VPC security group controls access to a DB instance inside a VPC, and an Amazon EC2 security group controls access to an EC2 instance and can be used with a DB instance.
Some DB engines offer tools that simplify managing your databases and making the best use of data. Amazon RDS makes such tools available through option groups. Examples of available options are Oracle Application Express (APEX), SQL Server Transparent Data Encryption, and MySQL memcached support.