AWScloud~30 mins

RDS security (encryption, security groups) in AWS - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Secure AWS RDS Instance Setup

📖 Scenario: You are setting up a database for a small web application. To keep the data safe, you need to enable encryption and control which servers can access the database.

🎯 Goal: Create an AWS RDS instance with encryption enabled and configure a security group that allows access only from a specific IP address.

📋 What You'll Learn

Create an RDS instance with storage encryption enabled

Create a security group that allows inbound access on port 3306 only from IP 203.0.113.5/32

Attach the security group to the RDS instance

💡 Why This Matters

🌍 Real World

Securing databases in the cloud is critical to protect sensitive data and comply with security policies. Using encryption and network controls helps prevent unauthorized access.

💼 Career

Cloud engineers and DevOps professionals often configure RDS instances with security best practices to ensure data safety and controlled access.

Progress0 / 4 steps

Create the RDS instance resource

Create an AWS RDS instance resource named my_db_instance with engine mysql and instance class db.t3.micro. Set the allocated storage to 20 GB and enable storage encryption by setting storage_encrypted to true.

AWS

# Your code here to create the RDS instance resource

Need a hint?

Use resource "aws_db_instance" "my_db_instance" and set storage_encrypted = true to enable encryption.

Create the security group

Create an AWS security group resource named my_db_sg with description Allow MySQL access. Add an ingress rule that allows TCP traffic on port 3306 only from the IP address 203.0.113.5/32.

AWS

resource "aws_db_instance" "my_db_instance" {
  engine             = "mysql"
  instance_class     = "db.t3.micro"
  allocated_storage  = 20
  storage_encrypted  = true
}

# Your code here to create the security group with ingress rule

Need a hint?

Use resource "aws_security_group" "my_db_sg" and add an ingress block with the specified port and IP.

Attach the security group to the RDS instance

Add the vpc_security_group_ids attribute to the my_db_instance resource. Set it to a list containing the ID of the security group my_db_sg using aws_security_group.my_db_sg.id.

AWS

resource "aws_db_instance" "my_db_instance" {
  engine             = "mysql"
  instance_class     = "db.t3.micro"
  allocated_storage  = 20
  storage_encrypted  = true

  # Your code here to attach the security group
}

resource "aws_security_group" "my_db_sg" {
  name        = "my_db_sg"
  description = "Allow MySQL access"

  ingress {
    from_port   = 3306
    to_port     = 3306
    protocol    = "tcp"
    cidr_blocks = ["203.0.113.5/32"]
  }
}

Need a hint?

Inside my_db_instance, add vpc_security_group_ids = [aws_security_group.my_db_sg.id].

Add final RDS instance parameters

Add the parameters username set to admin, password set to SecurePass123!, and skip_final_snapshot set to true to the my_db_instance resource.

AWS

resource "aws_db_instance" "my_db_instance" {
  engine             = "mysql"
  instance_class     = "db.t3.micro"
  allocated_storage  = 20
  storage_encrypted  = true
  vpc_security_group_ids = [aws_security_group.my_db_sg.id]

  # Your code here to add username, password, and skip_final_snapshot
}

resource "aws_security_group" "my_db_sg" {
  name        = "my_db_sg"
  description = "Allow MySQL access"

  ingress {
    from_port   = 3306
    to_port     = 3306
    protocol    = "tcp"
    cidr_blocks = ["203.0.113.5/32"]
  }
}

Need a hint?

Add username = "admin", password = "SecurePass123!", and skip_final_snapshot = true inside the my_db_instance resource.