AWS : Relational Database Service (RDS) - Basics Part 3

 ==============================================================
How do I secure my Amazon RDS database?

• Amazon RDS is designed to be secure by default
• Network isolation with Amazon Virtual Private Cloud (Amazon VPC)
• AWS Identity and Access Management (IAM)-based resource-level permission controls
• Encryption at rest using AWS KMS (all engines) or Oracle/Microsoft TDE
• Use SSL protection for data in transit

==============================================================
What does Amazon VPC provide?

• Places your instance in a private subnet, making it secure from public routes on the Internet
• Database instance IP firewall protection lets you securely control network configuration
• Turn off Public Accessibility in DB instance settings to restrict access outside Amazon VPC
• Use ClassicLink to network with non-VPC resources

==============================================================
How do I grant access to my database?

• Use IAM to control who can perform actions on RDS resources
• Do not use AWS root credentials to manage Amazon RDS resources—you should create an IAM user for everyone, including yourself
• Can use AWS Multi-Factor Authentication (MFA) to provide extra level of protection

==============================================================
How do I encrypt my database?

- Use AWS KMS-based encryption in the AWS console
- No performance penalty for encrypting data
- Centralized access and audit of key activity
- Best practices
    • Encryption cannot be removed from DB instances
    • If source is encrypted, Read Replicas must be encrypted
    • Add encryption to an unencrypted DB instance by encrypting a snapshot copy

==============================================================
How do I monitor my Amazon RDS database ?

- Amazon CloudWatch metrics
    • CPU/Storage/Memory•Swap usage
    • I/O (read and write)
    • Latency (read and write)
    • Throughput (read and write)
    • Replica lag
- Amazon CloudWatch Alarms
    • Similar to on-premises monitoring tools
- Enhanced monitoring for Amazon RDS
    • Access to over 50 CPU, memory, file system, and disk I/O metrics
    • Low as 1-second intervals
-Integration with third-party monitoring tools

==============================================================
How do I improve database performance?

• Introducing Amazon RDS Performance Insights
• Measures DB Load: Average Active Sessions (AAS)
• Identifies database bottlenecks (Top SQL):
    • Easy
    • Powerful
• Identifies source of bottlenecks
• Enables problem discovery
• Adjustable time frame
    • Hour, day, week, and longer
• Coming soon for Amazon EBS-based Amazon RDS engines

==============================================================
Can I know when service events happen?

• Amazon RDS uses Amazon SNS to receive notification when an event occurs
• Notifications can be in any form supported by Amazon SNS (email, a text message, or a call to an HTTP endpoint)
• Six different source types (DB instance, DB parameter group, DB security group, DB snapshot, DB cluster, DB cluster snapshot)
• 17 different event categories (availability, backup, deletion, configuration change, etc.)

==============================================================