iCompaas Support

Profile Applicability:
 Level 1

Description:
 Keyspace security in Amazon Aurora refers to the configuration settings that protect the database’s schema, tables, and overall structure from unauthorized access. It includes applying access controls, setting up secure authentication mechanisms, and ensuring the proper isolation of sensitive data.

Rationale:
 Ensuring that keyspace security is properly configured helps to prevent unauthorized users from modifying the structure or accessing sensitive data within the database. By implementing strict security controls around keyspaces, database integrity and confidentiality are maintained, minimizing the potential for data breaches or malicious activities.

Impact:
 Failure to configure keyspace security correctly can lead to unauthorized users gaining access to sensitive data or modifying the database schema, which could result in data breaches, data loss, or corruption. Proper configuration ensures that only authorized users can perform actions on keyspaces and tables, thereby safeguarding the database's structure and contents.

Default Value:
 By default, keyspace security is not specifically configured within Amazon Aurora. Security settings for keyspaces must be manually configured through IAM policies, database access controls, and specific database settings like roles and permissions.

Pre-requisites:

• An AWS account with administrative privileges.
  
  

• Aurora database instance created and running.
  
  

• Knowledge of IAM roles and permissions, as well as Aurora’s role-based access control system.
  
  

Test Plan:

Using AWS Console:

1. Navigate to RDS > Databases, select your Aurora instance, and check the Configuration section to ensure that keyspace access controls are properly set up.
   
   

2. Review IAM roles and policies attached to the Aurora instance to ensure that only authorized users have permission to modify the keyspace or database schema.
   
   

3. In RDS > Databases > Modify, check if database-level security features, such as encryption and access restrictions, are enabled for the Aurora instance.
   
   

4. Verify that the correct SQL roles and permissions are assigned to each database user and group to prevent unauthorized access to sensitive data or schema modifications.
   
   

Using AWS CLI:

1. Check the IAM roles and policies associated with the Aurora instance:
    

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, IAMRoles:IAMRoles}"

   
   
   

2. List the roles and permissions associated with the Aurora database:
    

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, DBInstanceStatus:DBInstanceStatus, Role:DBRoles}"

   
   
   

3. Check if encryption and keyspace-level access restrictions are in place:
   

    aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, KmsKeyId:KmsKeyId}"

   
   
   

Implementation Plan

Using AWS Console:

1. Go to RDS > Databases and select the Aurora instance.
   
   

2. Under IAM roles, ensure that only authorized users and applications have the necessary permissions to interact with the keyspace.
   
   

3. In the Modify section, review and enable encryption for the database to ensure that all data at rest and in transit is protected.
   
   

4. Set up proper SQL roles and permissions at the database level to restrict unauthorized access to tables, schemas, or keyspaces.
   
   

5. Apply changes to update and enforce the correct permissions and roles.
   
   

Using AWS CLI:

1. Attach or modify IAM roles and policies to control keyspace access:
    aws rds add-role-to-db-instance --db-instance-identifier <db-instance-id> --role-arn <iam-role-arn>
   
   

2. Update the database instance configuration to enable encryption for data at rest:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --storage-encrypted --kms-key-id <kms-key-id> --apply-immediately

   
   
   

3. Modify SQL roles and permissions to enforce keyspace security:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}' --apply-immediately

   
   
   

Backout Plan

Using AWS Console:

1. Navigate to RDS > Databases, select the Aurora instance, and click Modify.
   
   

2. Remove any restrictive IAM roles or policies that were applied to the instance.
   
   

3. Disable encryption for the database by unchecking the encryption options in the Modify section.
   
   

4. Revert SQL roles and permissions to their previous configurations to allow broader access if necessary.
   
   

Using AWS CLI:

1. Detach the IAM role from the Aurora instance:
   

    aws rds remove-role-from-db-instance --db-instance-identifier <db-instance-id> --role-arn <iam-role-arn>

   
   
   

2. Disable encryption:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --no-storage-encrypted --apply-immediately

   
   
   

3. Revert SQL roles and permissions:
    

   aws rds modify-db-instance --db-instance-identifier <db-instance-id> --cloudwatch-logs-export-configuration '{"EnableLogTypes":[]}' --apply-immediately

   
   
   

References:

• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
  
  

• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
  
  

• https://aws.amazon.com/rds/