AWScloud~5 mins

RDS security (encryption, security groups) in AWS - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you run a database in the cloud, you want to keep its data safe and control who can access it. RDS security helps you protect your database by encrypting its data and setting rules about which computers can connect to it.

When you want to protect sensitive data stored in your cloud database from unauthorized access.

When you need to control which servers or applications can connect to your database.

When you want to meet security rules that require data encryption at rest.

When you want to isolate your database from the public internet using network rules.

When you want to monitor and manage access to your database securely.

Config File - rds-security.tf

rds-security.tf

provider "aws" {
  region = "us-east-1"
}

resource "aws_security_group" "rds_sg" {
  name        = "rds-security-group"
  description = "Allow access to RDS from app servers"
  vpc_id      = "vpc-0abc123def456ghij"

  ingress {
    description      = "Allow MySQL from app servers"
    from_port        = 3306
    to_port          = 3306
    protocol         = "tcp"
    cidr_blocks      = ["10.0.1.0/24"]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
  }
}

resource "aws_db_instance" "example" {
  identifier              = "example-db"
  engine                  = "mysql"
  instance_class          = "db.t3.micro"
  allocated_storage       = 20
  name                    = "exampledb"
  username                = "adminuser"
  password                = "StrongPass123!"
  parameter_group_name    = "default.mysql8.0"
  skip_final_snapshot     = true
  publicly_accessible     = false
  vpc_security_group_ids  = [aws_security_group.rds_sg.id]
  storage_encrypted       = true
  backup_retention_period = 7
}

This Terraform file creates a security group that allows MySQL traffic only from a specific private network range (10.0.1.0/24). It then creates an RDS MySQL database instance that uses this security group to restrict access. The database storage is encrypted to protect data at rest. The database is not publicly accessible, meaning it cannot be reached from the internet.

aws_security_group: Defines network rules for who can connect to the database.

aws_db_instance: Creates the database with encryption and security group attached.

Commands

This command sets up Terraform in the current folder by downloading necessary plugins and preparing to create resources.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.60.0... - Installed hashicorp/aws v4.60.0 (signed by HashiCorp) Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure.

This command shows what Terraform will create or change before actually doing it. It helps you check your configuration.

Terminal

terraform plan

Expected OutputExpected

An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_security_group.rds_sg will be created + resource "aws_security_group" "rds_sg" { + description = "Allow access to RDS from app servers" + id = (known after apply) + name = "rds-security-group" + vpc_id = "vpc-0abc123def456ghij" ... } # aws_db_instance.example will be created + resource "aws_db_instance" "example" { + allocated_storage = 20 + engine = "mysql" + id = (known after apply) + instance_class = "db.t3.micro" + name = "exampledb" + password = (sensitive value) + publicly_accessible = false + storage_encrypted = true + username = "adminuser" ... } Plan: 2 to add, 0 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't specify an "-out" parameter to save this plan, so Terraform can't guarantee that exactly these actions will be performed if "terraform apply" is subsequently run.

This command creates the security group and the encrypted RDS database with the rules defined. The -auto-approve flag skips manual confirmation.

Terminal

terraform apply -auto-approve

Expected OutputExpected

aws_security_group.rds_sg: Creating... aws_security_group.rds_sg: Creation complete after 2s [id=sg-0a1b2c3d4e5f6g7h8] aws_db_instance.example: Creating... aws_db_instance.example: Still creating... [10s elapsed] aws_db_instance.example: Creation complete after 1m30s [id=example-db] Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

→

-auto-approve - Automatically approve the apply step without asking for confirmation

This AWS CLI command checks the details of the created RDS database to confirm encryption and security group settings.

Terminal

aws rds describe-db-instances --db-instance-identifier example-db

Expected OutputExpected

{ "DBInstances": [ { "DBInstanceIdentifier": "example-db", "DBInstanceStatus": "available", "StorageEncrypted": true, "VpcSecurityGroups": [ { "VpcSecurityGroupId": "sg-0a1b2c3d4e5f6g7h8", "Status": "active" } ], "PubliclyAccessible": false } ] }

→

--db-instance-identifier - Specifies which database instance to describe

Key Concept

If you remember nothing else from this pattern, remember: encrypt your database storage and restrict network access with security groups to keep your data safe.

Common Mistakes

Not enabling storage_encrypted in the RDS instance configuration

This leaves your database data unprotected at rest, risking exposure if storage is accessed directly.

Always set storage_encrypted = true when creating your RDS instance to enable encryption.

Setting the security group to allow access from 0.0.0.0/0 (anywhere)

This exposes your database to the entire internet, increasing risk of unauthorized access.

Limit ingress rules to only trusted IP ranges or VPC subnets that need access.

Making the RDS instance publicly_accessible = true without a strong reason

This allows anyone on the internet to attempt to connect to your database, increasing attack surface.

Keep publicly_accessible = false and use private network access via security groups.

Summary

Create a security group that allows database access only from trusted network ranges.

Create an RDS instance with storage encryption enabled and attach the security group.

Use Terraform commands to initialize, plan, and apply the configuration.

Verify the database encryption and security group settings using AWS CLI.