Process Flow - RDS security (encryption, security groups)

Create RDS Instance

↓

Enable Encryption?

No→Create without encryption

Yes↓

Attach KMS Key

↓

Assign Security Groups

↓

Define Inbound Rules

↓

RDS Instance Ready with Security

This flow shows creating an RDS database with encryption and security groups to control network access.

Execution Sample

AWS

resource "aws_db_instance" "example" {
  allocated_storage    = 20
  engine               = "mysql"
  engine_version       = "8.0"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "admin"
  password             = "password123"
  parameter_group_name = "default.mysql8.0"
  storage_encrypted    = true
  kms_key_id           = aws_kms_key.rds_key.arn
  vpc_security_group_ids = [aws_security_group.rds_sg.id]
}

resource "aws_security_group" "rds_sg" {
  name        = "rds_sg"
  description = "Allow MySQL access"
  ingress {
    from_port   = 3306
    to_port     = 3306
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/16"]
  }
}

This Terraform code creates an encrypted MySQL RDS instance with a security group allowing MySQL access from a private network.

Process Table

Step	Action	Encryption Enabled	KMS Key Attached	Security Group Assigned	Inbound Rule	Result
1	Start RDS creation	No	No	No	None	Preparing instance creation
2	Check encryption setting	Yes	No	No	None	Encryption enabled, need KMS key
3	Attach KMS key	Yes	Yes	No	None	KMS key attached for encryption
4	Assign security group	Yes	Yes	Yes	None	Security group assigned
5	Define inbound rules	Yes	Yes	Yes	TCP 3306 from 10.0.0.0/16	Inbound rules set for MySQL access
6	Complete creation	Yes	Yes	Yes	TCP 3306 from 10.0.0.0/16	RDS instance ready with encryption and security

💡 RDS instance created with encryption enabled and security group allowing MySQL access from private network

Status Tracker

Variable	Start	After Step 2	After Step 3	After Step 4	After Step 5	Final
encryption_enabled	false	true	true	true	true	true
kms_key_attached	false	false	true	true	true	true
security_group_assigned	false	false	false	true	true	true
inbound_rule	none	none	none	none	tcp 3306 from 10.0.0.0/16	tcp 3306 from 10.0.0.0/16

Key Moments - 3 Insights

Why do we need to attach a KMS key after enabling encryption?

What happens if we don't assign a security group?

Why specify inbound rules in the security group?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution_table, at which step is the KMS key attached?

AStep 3

BStep 4

CStep 2

DStep 5

Concept Snapshot

RDS Security Quick Reference:
- Enable storage_encrypted to protect data at rest
- Attach a KMS key for encryption management
- Assign security groups to control network access
- Define inbound rules to allow specific traffic (e.g., MySQL port 3306)
- Without security groups or rules, RDS is inaccessible
- Encryption and security groups work together to secure your database

Full Transcript

This visual execution shows how to secure an AWS RDS instance by enabling encryption and assigning security groups. First, the RDS instance creation starts without encryption or security groups. When encryption is enabled, a KMS key must be attached to manage encryption. Next, a security group is assigned to the instance, which controls network access. Inbound rules are then defined to allow traffic on the MySQL port 3306 from a private network range. The variable tracker shows how encryption, KMS key attachment, security group assignment, and inbound rules change step-by-step. Key moments clarify why each step is necessary, such as the role of the KMS key and the importance of inbound rules. The quiz tests understanding of when the KMS key is attached, the state of security group assignment, and how changing inbound rules affects access. This process ensures the RDS instance is both encrypted and accessible only to authorized network sources.