Security with Amazon Aurora PostgreSQL

1.??????Aurora DB clusters must be created in an Amazon Virtual Private Cloud (VPC). To control which devices and Amazon EC2 instances can open connections to the endpoint and port of the DB instance for Aurora DB clusters in a VPC, you use a VPC security group. These endpoint and port connections can be made using Secure Sockets Layer (SSL). In addition, firewall rules at the company can control whether devices running at the company can open connections to a DB instance.

2.??????Aurora PostgreSQL supports db.r4 and db.t3 instance classes with default VPC only. With default VPC tenancy, the VPC runs on shared hardware. With dedicated VPC tenancy, the VPC runs on a dedicated hardware instance.

3.??????When you create an Amazon Aurora PostgreSQL DB instance, the master user has the following default privileges: LOGIN, NOSUPERUSER, INHERIT, CREATEDB, CREATEROLE, and NOREPLICATION, VALID UNTIL, ‘infinity'. To provide management services for each DB cluster, the?rdsadmin?user is created when the DB cluster is created.

4.??????You can restrict who can manage database user passwords to a special role. By doing this, you can have more control over password management on the client side. You enable restricted password management with the static parameter?rds.restrict_password_commands?and use a role called?rds_password. When the parameter?rds.restrict_password_commands?is set to 1, only users that are members of the?rds_password?role can run certain SQL commands. The restricted SQL commands are commands that modify database user passwords and password expiration time. To use restricted password management, your?DB cluster must be running Amazon Aurora?for PostgreSQL 10.6 or higher. Because the?rds.restrict_password_commands?parameter is static, changing this parameter requires a database restart.

5.??????The?rds_superuser?role has membership for the?rds_password?role by default, and you can't change this. You can give other roles membership for the?rds_password?role by using the?GRANT?SQL command. It is recommended that you give membership to?rds_password?to only a few roles that you use solely for password management. These roles require the?CREATEROLE?attribute to modify other roles.

6.??????Amazon RDS supports Secure Socket Layer (SSL) encryption for Aurora PostgreSQL DB clusters. Using SSL, you can encrypt a connection between your applications and your Aurora PostgreSQL DB clusters. You can also force all connections to your Aurora PostgreSQL DB cluster to use SSL. Amazon Aurora PostgreSQL supports Transport Layer Security (TLS) versions 1.1 and 1.2. Aurora PostgreSQL doesn't enforce TLS connections so they must be enforced from the application.

7.??????Amazon RDS creates an SSL certificate for the Aurora PostgreSQL DB cluster when the DB cluster is created. If you enable SSL certificate verification, then the SSL certificate includes the DB cluster endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks.

8.??????You can require that connections to your Aurora PostgreSQL DB cluster use SSL by using the?rds.force_ssl?parameter. By default, the?rds.force_ssl?parameter is set to 0 (off). Updating the?rds.force_ssl?parameter also sets the PostgreSQL?ssl?parameter to 1 (on) and modifies your DB cluster's?pg_hba.conf?file to support the new SSL configuration, you will need to reboot your DB cluster for the change to take effect.?