RDS Proxy
Table of Contents
RDS Proxy is a managed AWS service that is designed to improve performance of distributed serverless applications talking to RDS databases. It performs connection pooling and managed authentication that Lambda can use, thus preventing a lambda scale-up event from overwhelming the database.
From the AWS Service Description:
Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (RDS) that makes applications more scalable, more resilient to database failures, and more secure. Amazon RDS Proxy allows applications to pool and share connections established with the database, improving database efficiency and application scalability. With RDS Proxy, failover times for Aurora and RDS databases are reduced by up to 66% and database credentials, authentication, and access can be managed through integration with AWS Secrets Manager and AWS Identity and Access Management (IAM). (source)
The RDS Proxy creates a database endpoint for your serverless applications, and behind the RDS Proxy is a database target. In a way, RDS Proxy acts like a load balancer for your RDS or Aurora databases. All of this happens inside your VPC.
AWS Lambda functions can also be good candidates for using a proxy. These functions make frequent short database connections that benefit from connection pooling offered by RDS Proxy. You can take advantage of any IAM authentication you already have for Lambda functions, instead of managing database credentials in your Lambda application code.(source)
As a result, any Lambda that want to use DB Proxy must have their ENI inside your VPC.
Service Summary
Service Name: Rds Proxy
Service Family: Database
Supports Resource Policies: No (but does require Secrets Manager which does)
Service Pricing: Priced per vCPU of the underlying database instance
Service Webpage: https://aws.amazon.com/rds/proxy/
Security Risks
RDS Proxy acts as a man-in-the-middle between applications and the database.
RDS Proxy handles the network traffic between the client application and the database. It does so in an active way first by understanding the database protocol. It then adjusts its behavior based on the SQL operations from your application and the result sets from the database.(source)
Additionally, it:
- deploys inside your VPC (so the good news is it doesn’t make your RDS publicly accessible)
- stores your RDS Password in Secrets Manager
- does not require TLS by default, but does supports protocol version 1.0, 1.1 and 1.2
- requires you to apply a resource policy trusting the RDS service to the Secrets Manager secret holding the database user/pass.
WARNING: There is a feature for Debug Logging. This will log all of the SQL Statements to Cloudwatch Logs.
Service Limitations to be aware of
You can find all the service limitations here, but these are of note:
- Your RDS Proxy must be in the same VPC as the database. The proxy can’t be publicly accessible, although the database can be.
- You can’t use RDS Proxy with a VPC that has dedicated tenancy.
- You can’t use RDS Proxy with custom DNS.
Suggested Compliance Rules around RDS Proxy
- Enforce TLS between the proxy and the database
- Require TLS between the client and the proxy
- Each RDS Proxy should have a unique secret for each underlying database/user combination. RDS Proxy should not reuse a secrets even if the same credentials are used across multiple databases (the latter is bad practice and you want to prevent that bad practice from propagating to the new service).
- RDS Proxy security group should follow least privilege.
- Authentication to RDS Proxy should require the use of IAM (not username/password).
- Do not enable Debug Logging
CloudTrail events of significance
The CloudTrail events around the management of RDS Proxy aren’t particularly interesting. RDS Proxy is part of the rds.amazonaws.com
eventSource.
There is no option to log connection activity, however the fetching of secrets and the IAM authentication to the databases should be logged in CloudTrail