mirror of
https://gitea.com/mcereda/oam.git
synced 2026-03-03 15:34:25 +00:00
chore(aws): give rds its own article and start kms' section
This commit is contained in:
Michele Cereda
@@ -10,7 +10,7 @@
|
||||
1. [GuardDuty](#guardduty)
|
||||
1. [EventBridge](#eventbridge)
|
||||
1. [Inspector](#inspector)
|
||||
1. [RDS](#rds)
|
||||
1. [KMS](#kms)
|
||||
1. [Security Hub](#security-hub)
|
||||
1. [Resource constraints](#resource-constraints)
|
||||
1. [Access control](#access-control)
|
||||
@@ -60,6 +60,7 @@ One can can rapidly remapping addresses to other instances in one's account and
|
||||
| [EventBridge] | FIXME |
|
||||
| [GuardDuty] | Threat detection |
|
||||
| [Inspector] | FIXME |
|
||||
| [KMS] | Key management |
|
||||
| [OpenSearch] | ELK, logging |
|
||||
| [RDS] | Databases |
|
||||
| [S3] | Storage |
|
||||
@@ -89,8 +90,6 @@ This feature is automatically enabled by default when one starts using one of th
|
||||
|
||||
### Config
|
||||
|
||||
FIXME
|
||||
|
||||
Compliance service for assessing and auditing AWS resources.
|
||||
|
||||
Provides an inventory of resources.<br/>
|
||||
@@ -113,15 +112,11 @@ Sample templates for compliance standards and benchmarks are available.
|
||||
|
||||
### Detective
|
||||
|
||||
FIXME
|
||||
|
||||
Uses ML and graphs to try and identify the root cause of security issues.<br/>
|
||||
Creates visualizations with details and context by leveraging events from VPC Flow Logs, CloudTrail and GuardDuty.
|
||||
|
||||
### GuardDuty
|
||||
|
||||
FIXME
|
||||
|
||||
Threat detection service.
|
||||
|
||||
It continuously monitors accounts and workloads for malicious activity and delivers security findings for visibility and
|
||||
@@ -139,73 +134,62 @@ _Threat IP List_ is a blacklist of **public IPs and CIDRs** that will be used by
|
||||
|
||||
### EventBridge
|
||||
|
||||
FIXME
|
||||
TODO
|
||||
|
||||
### Inspector
|
||||
|
||||
FIXME
|
||||
TODO
|
||||
|
||||
### RDS
|
||||
### KMS
|
||||
|
||||
Read replicas **can** be promoted to standalone DB instances.<br/>
|
||||
See [Working with DB instance read replicas].
|
||||
_Key material_ is the cryptographic secret of Keys that is used in encryption operations.
|
||||
|
||||
Disk free metrics are available in CloudWatch.
|
||||
Enabling automatic key rotation for a KMS key makes the service generate new cryptographic material for the key every
|
||||
year by default.<br/>
|
||||
Specify a custom rotation period to customize that time frame.
|
||||
|
||||
Automatic backups are **enabled** by default.<br/>
|
||||
RDS will automatically create storage volume snapshots of the **entire** DB instances.<br/>
|
||||
Backups occur during a daily user-configurable 30 minute period backup window and are kept for a configurable number of
|
||||
up to 35 days (_backup retention period_). One can recover DB instances to any point in time during the backup retention
|
||||
period.
|
||||
Perform on-demand rotation should you need to immediately initiate key material rotation.<br/>
|
||||
This works regardless of whether the automatic key rotation is enabled or not. On-demand rotations do **not** change
|
||||
existing automatic rotation schedules.
|
||||
|
||||
DB instances must be in the `available` state for automated backups to occur.<br/>
|
||||
Automated backups don't occur while DB instances are in other states (i.e., `storage_full`).
|
||||
KMS saves **all** previous versions of the cryptographic material in perpetuity to allow decryption of any data
|
||||
encrypted with keys.<br/>
|
||||
Rotated key material is **not** deleted until the key itself is deleted.
|
||||
|
||||
Automated backups don't occur while a DB snapshot copy is running in the same AWS Region for the same database.
|
||||
Track the rotation of key material [CloudWatch], CloudTrail, and the KMS console.<br/>
|
||||
Alternatively, use the `GetKeyRotationStatus` operation to verify whether automatic rotation is enabled for a key and
|
||||
identify any in progress on-demand rotations. Use the `ListKeyRotations` operation to view the details of completed
|
||||
rotations.
|
||||
|
||||
Back up DB instances manually by creating DB snapshots.<br/>
|
||||
The first snapshot contains the data for the full database. Subsequent snapshots of the same database are incremental.
|
||||
When using a rotated KMS key to encrypt data, KMS uses the **current** key material.<br/>
|
||||
When using the same rotated KMS key to decrypt ciphertext, KMS uses the version of the key material that was used for
|
||||
encryption.<br/>
|
||||
One **cannot** select a particular version of key materials for decrypt operations. This automation allows to safely use
|
||||
rotated KMS keys in applications and AWS services without code changes.
|
||||
|
||||
One can copy both automatic and manual DB snapshots, but only share manual DB snapshots.
|
||||
Automatic key rotation has no effect on the data that KMS keys protect: it does **not** rotate the data generated by
|
||||
rotated keys, re-encrypts any data protected by the keys, nor it will mitigate the effect of compromised data keys.
|
||||
|
||||
RDS backup storage for each Region is composed of both the automated backups and manual DB snapshots for that
|
||||
Region.<br/>
|
||||
Moving snapshots to other Regions increases the backup storage in the destination Regions.
|
||||
KMS supports automatic and on-demand key rotation only for symmetric encryption keys with key material that KMS itself
|
||||
creates.<br/>
|
||||
Automatic rotation is optional for customer managed KMS keys. KMS rotates the key material for AWS managed keys on an
|
||||
yearly basis. Rotation of AWS owned KMS keys is managed by the AWS service that owns the key.
|
||||
|
||||
Backups are stored in [S3].
|
||||
Key rotation only changes the key material, not the key's properties.<br/>
|
||||
The key is considered the same logical resource, regardless of whether or how many times its key material changes.
|
||||
|
||||
Should one choose to retain automated backups when deleting DB instances, its automated backups are saved for the full
|
||||
retention period, otherwise all automated backups are deleted with the instance.<br/>
|
||||
After they are deleted, automated backups can't be recovered.
|
||||
Creating a new key and using it in place of the original one has the same effect as rotating the key material in an
|
||||
existing key.<br/>
|
||||
This is considered a _manual_ key rotation and is a good choice to rotate keys that are not eligible for automatic key
|
||||
rotation.
|
||||
|
||||
Should one choose to have RDS create a final DB snapshot before deleting a DB instance, one can use that or previously
|
||||
created manual snapshots to recover it.
|
||||
AWS charges a monthly fee for the first and second rotation of key material maintained for each key.<br/>
|
||||
This price increase is capped at the second rotation. Any subsequent rotations will **not** be billed.
|
||||
|
||||
Manual snapshots are **not** deleted.
|
||||
|
||||
One can store up to 100 manual snapshots per Region.
|
||||
|
||||
One can choose any of the following retention periods for instances' Performance Insights data:
|
||||
|
||||
- 7 days (default, free tier).
|
||||
- _n_ months, where n is a number from 1 to 24.<br/>
|
||||
In CLI and IaC, this number must be _n*31_.
|
||||
|
||||
One can export DB snapshot data to [S3] buckets.
|
||||
|
||||
The export process runs in the background and does **not** affect the performance of active DB instances.
|
||||
|
||||
RDS extracts data from snapshots and stores it in Apache Parquet format.<br/>
|
||||
By default, **all** data in the snapshots is exported; one can export specific sets of databases, schemas, or tables.
|
||||
|
||||
After the export, one can analyze the data directly through
|
||||
[Athena](https://docs.aws.amazon.com/athena/latest/ug/parquet-serde.html) or
|
||||
[Redshift Spectrum](https://docs.aws.amazon.com/redshift/latest/dg/copy-usage_notes-copy-from-columnar.html).
|
||||
Each key counts as one when calculating key resource quotas, regardless of the number of rotated key material versions.
|
||||
|
||||
### Security Hub
|
||||
|
||||
FIXME
|
||||
|
||||
Aggregator of findings for security auditing.
|
||||
|
||||
> Uses [Config] to check resources' configuration by leveraging compliancy rules.
|
||||
@@ -328,7 +312,6 @@ Examples:
|
||||
- [Using service-linked roles]
|
||||
- [Best Practices for Tagging AWS Resources]
|
||||
- [Automating DNS-challenge based LetsEncrypt certificates with AWS Route 53]
|
||||
- [Working with DB instance read replicas]
|
||||
- AWS' [CLI]
|
||||
- [Configuring EC2 Disk alert using Amazon CloudWatch]
|
||||
- [aws.permissions.cloud]
|
||||
@@ -357,11 +340,9 @@ Examples:
|
||||
- [Use an IAM role in the AWS CLI]
|
||||
- [Creating a role to delegate permissions to an IAM user]
|
||||
- [How to use the PassRole permission with IAM roles]
|
||||
- [Introduction to backups][rds introduction to backups] for RDS
|
||||
- [Pricing and data retention for Performance Insights][rds pricing and data retention for performance insights] for
|
||||
RDS
|
||||
- [Exporting DB snapshot data to Amazon S3]
|
||||
- [I'm trying to export a snapshot from Amazon RDS MySQL to Amazon S3, but I'm receiving an error. Why is this happening?]
|
||||
- [Rotating AWS KMS keys]
|
||||
|
||||
<!--
|
||||
Reference
|
||||
@@ -376,7 +357,7 @@ Examples:
|
||||
[eventbridge]: #eventbridge
|
||||
[guardduty]: #guardduty
|
||||
[inspector]: #inspector
|
||||
[rds]: #rds
|
||||
[kms]: #kms
|
||||
[security hub]: #security-hub
|
||||
|
||||
<!-- Knowledge base -->
|
||||
@@ -386,6 +367,7 @@ Examples:
|
||||
[ecs]: ecs.md
|
||||
[eks]: eks.md
|
||||
[opensearch]: opensearch.md
|
||||
[rds]: rds.md
|
||||
[s3]: s3.md
|
||||
[sagemaker]: sagemaker.md
|
||||
|
||||
@@ -406,8 +388,7 @@ Examples:
|
||||
[iam json policy elements: sid]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html
|
||||
[nat gateways]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
|
||||
[not authorized to perform: sts:assumerole]: https://repost.aws/questions/QUOY5XngCtRyOX4Desaygz8Q/not-authorized-to-perform-sts-assumerole
|
||||
[rds introduction to backups]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html
|
||||
[rds pricing and data retention for performance insights]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.Overview.cost.html
|
||||
[rotating aws kms keys]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
||||
[services that publish cloudwatch metrics]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html
|
||||
[subnets for your vpc]: https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html
|
||||
[test your roles' access policies using the aws identity and access management policy simulator]: https://aws.amazon.com/blogs/security/test-your-roles-access-policies-using-the-aws-identity-and-access-management-policy-simulator/
|
||||
@@ -419,7 +400,6 @@ Examples:
|
||||
[what is amazon vpc?]: https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
|
||||
[what is aws config?]: https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html
|
||||
[what is cloudwatch]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html
|
||||
[working with db instance read replicas]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html
|
||||
|
||||
<!-- Others -->
|
||||
[automating dns-challenge based letsencrypt certificates with aws route 53]: https://johnrix.medium.com/automating-dns-challenge-based-letsencrypt-certificates-with-aws-route-53-8ba799dd207b
|
||||
|
||||
Reference in New Issue
Block a user