Hi Everyone,
In this article, let us analyze the security posture of the Oracle RDS hosted on AWS Cloud.
We have so many ways to measure, prevent, protect and remediate the risks associated with running Oracle RDS on AWS. Some of the steps are owned by AWS and Most are by Customers. There are so many services, scenarios involved. Based on the use cases you can choose the plan of action. Here are my compilation list.
| Ownership | Notes | References |
| AWS responsibility | AWS responsibility “Security of the Cloud” | https://aws.amazon.com/compliance/shared-responsibility-model/ |
| AWS responsibility | AWS is responsible for protecting the AWS buildings that runs all of the services offered in the AWS Cloud. AWS audits who enters the data center etc | |
| AWS responsibility | Hardware and Hypervisors are upgraded time to time | |
| Shared | Awareness & Training - AWS trains AWS employees, but we must train our own employees on security of how data stored, retrieved, transmitted | |
| Customer responsibility | Security in the Cloud | |
| Customer responsibility | Lot of other things, that We can do will be elaborated here | |
| Migration | Notes | References |
| AWS DMS | AWS DMS can be used with Secure Socket Layer (SSL) / Transport Layer Security (TLS). | |
| AWS Snow Family services | All data moved to AWS Snow Family devices is automatically encrypted with 256-bit encryption keys that are managed by the AWS Key Management Service (KMS). Encryption keys are never stored on the device so your data stays secure during transit. Anti-tamper & Tamper-evident - AWS Snow devices feature a Trusted Platform Module (TPM) that provides a hardware root of trust. Each device is inspected after each use to ensure the integrity of the device and helps preserve the confidentiality of your data. Once the data migration job is complete and verified, AWS performs a software erasure of the device that follows the National Institute of Standards and Technology (NIST) guidelines for media sanitization. | https://aws.amazon.com/snow/ |
| Oracle Native Tool Datapump | Data migration can be safely encryted using native Oracle tool Datapump. Oracle dataump expdp,impdp utilities can encrypt/decrypt all or selected componenets using parameters ALL,DATA_ONLY,ENCRYPTED_COLUMNS_ONLY,METADATA_ONLY. It supports AES128, AES192, and AES256 algorithms | |
| Oracle Native Tool imp/exp | exp and imp are pretty old used in pre 10g days, try to use expdp,impdp which has lot of options, use parfile instead of feeding password on command line, Remove password after using the utility from parfile, Protect the parfile, dump files at OS level using chmod commands | |
| Oracle Native Tool SQL*Loader | Use parfile instead of feeding password on command line, Remove password after using the utility from parfile, Protect the datafiles, parfile at OS level using chmod commands | |
| Migrating with Oracle materialized views | Use SQL*Net Connection TLS/Native Network Encryption as in transit security mechanisms. Connect over IPsec-encrypted private connections | |
| SQL Developer Copy Wizard | Use SQL*Net Connection TLS/Native Network Encryption as in transit security mechanisms. Connect over IPsec-encrypted private connections, Strong Passwords, Least Privilege Access | |
| Oracle Golden Gate | Passwords specified in commands and parameter files that are used by Oracle GoldenGate processes to log into a database. - Password Encryption/Credential Store Identity Management Data in the trails or an Extract file/Data sent across TCP/IP networks - Encrypting Data with the Master Key and Wallet Method EC2 running GG Hubs - Security Group hardening | https://docs.oracle.com/en/middleware/goldengate/core/19.1/securing/introducing-oracle-goldengate-security.html#GUID-119E5669-BFDC-4C1F-AB8F-3859DA0FB621 |
| Fivetran HVR software | Encryption Wallet - encrypting all passwords HVR stores LDAP authentication, PAM for linux Database authentication should be done through a database user with minimum database-level privileges. During real-time data integration, HVR temporarily stores transaction files on the hub server. Use HVR’s encryption wallet to encrypt data that is momentarily stored on disk, or as an alternative, consider using an encrypted file system for HVR_CONFIG to protect such data. use Proxy when running HVR Hub on cloud connecting to onpremise DBs | http://www.hvr-software.com/wp-content/uploads/2021/01/HVR_whitepaper_Security_Best_Practices_2021.pdf |
| Other Services for Oracle RDS | Notes | References |
| VPC | Use Private Subnets to host DBs, not to expose sensitive database open to the wold in public internet | |
| Network ACLs | Network ACLs, allow only the traffic required | |
| CloudTrail | All API calls are recorded, who created DB, when it was destroyed,altered. Guard Duty can be used for finding suspicious activity | |
| DNS query logs | Route 53 query logs can be analysed by GuardDuty | https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html? |
| Security Group | Security Group hardenings will help RDS run secure. Avoid wider CIDR ranges, 0.0.0.0/0 accesses | |
| VPC Flowlogs | Audit VPC Flowlogs, Guard Duty can be used for finding suspicious activity | |
| Guard Duty | AWS GuardDuty is a security monitoring service that analyzes and processes VPC Flow Logs and AWS CloudTrail event logs to detect suspicious activity and potential security threats in your AWS environment | |
| WAF | Web Application Firewall - AWS WAF (web application firewall) is a service that gives you control over the type of traffic that is allowed to your application. This service provides the ability to create rules that can help prevent SQL injection attacks and cross-site scripting attacks. | https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-sql-conditions.html |
| NAT Gateway | For the RDS for Oracle instance to make secure connections to a internet website using UTL_HTTP, add the root CA certificate. Amazon RDS uses the root certificate to sign the website certificate to the Oracle wallet. NAT Gateway makes private subnet to connection to internet | https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Concepts.ONA.html https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html |
| Engine | Notes | References |
| RDS Oracle | Keep up with latest PSU the Latest version of Oracle Release Latest Long Term release 19c Latest innovation release 21c | |
| Authentication | Hard password requirements using VERIFY FUNCTION Kerberos Authentication | |
| Authorization | IAM RDS privileges Right RDS Oracle user privileges to run the task required | |
| Encryption | TDS, EBS Encryptions with KMS keys | |
| S3 Backups | S3 is not open to public, least privileged access, consider data encryption at rest, AWS Trusted Advisor to inspect S3 setup, Audit S3 bucket | https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#security-best-practices-prevent |
| In Transit | Use Native Network Encryption/SSL | |
| AWS Secrets | Use AWS Secrets to store passwords and rotate | |
| Trusted Advisor | Trusted Advisor has the following Amazon RDS-related checks Amazon RDS Idle DB Instances Amazon RDS Security Group Access Risk Amazon RDS Backups Amazon RDS Multi-AZ | |
| DBSAT | DBSAT analyzes information on the database and listener configuration to identify configuration settings that may unnecessarily introduce risk. DBSAT goes beyond simple configuration checking, examining user accounts, privilege and role grants, authorization control, separation of duties, fine-grained access control, data encryption and key management, auditing policies, and OS file permissions. DBSAT applies rules to quickly assess the current security status of a database and produce findings in all the areas above. For each finding, DBSAT recommends remediation activities that follow best practices to reduce or mitigate risk. | https://www.oracle.com/database/technologies/security/dbsat.html#:~:text=Oracle%20Database%20Security%20Assessment%20Tool%20(DBSAT)%20is%20a%20popular%20command,controls%20to%20mitigate%20those%20risks. |
| Data Redaction | Data Masking | https://www.oracle.com/security/database-security/data-masking/ |
| Label Security | Amazon RDS supports Oracle Label Security for the Enterprise Edition of Oracle Database through the use of the OLS option. Most database security controls access at the object level. Oracle Label Security provides fine-grained control of access to individual table rows. For example, you can use Label Security to enforce regulatory compliance with a policy-based administration model. You can use Label Security policies to control access to sensitive data, and restrict access to only users with the appropriate clearance level. | https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Options.OLS.html |
| http://applicationsdba.blogspot.com | ||
No comments:
Post a Comment