Database CloudHSM Option 1 – Using Amazon RDS with Amazon EBS encryption and key management provided by AWS KMS
This approach uses the Amazon RDS service where AWS manages the operating system and database engine.You can configure this service to be a highly scalable resource spanning multiple Availability Zones within an AWS Region to provide resiliency.AWS KMS manages the keys that are used to encrypt the attached Amazon EBS volumes at rest.
Note : This configuration is recommended as your default database encryption approach.Benefits No key management requirement on host; key management is automated and performed by AWS KMS Meets FIPS140-2 Level 2 validation requirements Simple vertical and horizontal scalability Snapshots for recovery are encrypted automatically AWS manages the patching, maintenance, and configuration of the operating system and database engine Well-recognized configuration, with support offered through AWS Support AWS KMS costs are comparatively low Challenges Dependent on Amazon RDS supported engines and versions Might require additional controls to manage unauthorized access at table, row, column, or cell level Option 2 – Using Amazon RDS with Amazon EBS encryption and key management provided by AWS KMS custom key store
This approach uses the Amazon RDS service where AWS manages the operating system and database engine.You can configure this service to be a highly scalable resource spanning multiple Availability Zones within a Region to provide resiliency.
CloudHSM keys are used via AWS KMS service integration to encrypt the Amazon EBS volumes at rest.
Note : This configuration is recommended where FIPS140-2 Level 3 validation is a specified compliance requirement.Benefits No key management requirement on host; key management is performed by AWS KMS Meets FIPS140-2 Level 3 validation requirements Simple vertical and horizontal scalability Snapshots for recovery are encrypted automatically AWS manages the patching, maintenance, and configuration of the database engine Well-recognized configuration with support offered through AWS Support Challenges Dependent on Amazon RDS supported engines and versions You are responsible for provisioning, configuration, scaling, maintenance, and costs of running CloudHSM cluster Might require additional controls to manage unauthorized access at table, row, column or cell level Option 3 – Customer-managed database platform hosted on Amazon EC2 with Amazon EBS encryption and key management provided by KMS
In this approach, the key difference is that you’re responsible for managing the EC2 instances, operating systems, and database engines.You can still configure your databases to be highly scalable resources spanning multiple Availability Zones within a Region to provide resiliency, but it takes more effort.
AWS KMS manages the keys that are used to encrypt the attached Amazon EBS volumes at rest.
Note : This configuration is recommended when Amazon RDS doesn’t support the desired database engine type or version.Benefits A 1:1 relationship for migration of database engine configuration Key rotation and management is handled transparently by AWS Data encryption keys are managed by the hypervisor, not by your EC2 instance AWS KMS costs are comparatively low Challenges You’re responsible for patching and updates of the database engine and OS Might require additional controls to manage unauthorized access at table, row, column, or cell level Option 4 – Customer-managed database platform hosted on Amazon EC2 with Amazon EBS encryption and key management provided by KMS custom key store
In this approach, you are again responsible for managing the EC2 instances, operating systems, and database engines.You can still configure your databases to be highly scalable resources spanning multiple Availability Zones within a Region to provide resiliency, but it takes more effort.And similar to Option 2, CloudHSM keys are used via AWS KMS service integration to encrypt the Amazon EBS volumes at rest.
Note : This configuration is recommended when Amazon RDS doesn’t support the desired database engine type or version and when FIPS140-2 Level 3 compliance is required.
Benefits A 1:1 relationship for migration of database engine configuration Data encryption keys managed by the hypervisor, not by your EC2 instance Keys managed by FIPS140-2 Level 3 validated HSM Challenges You’re responsible for provisioning, configuration, scaling, maintenance, and costs of running CloudHSM cluster You’re responsible for patching and updates of the database engine and OS Might require additional controls to manage unauthorized access at table, row, column, or cell level Option 5 – Customer-managed database platform hosted on Amazon EC2 with Amazon EBS encryption and key management provided by LUKS
In this approach, you’re still responsible for managing the EC2 instances, operating systems, and database engines.You also need to install LUKS onto the Linux instance to manage the encryption of data on Amazon EBS.Benefits A 1:1 relationship for migration of database engine configuration Transparent encryption is managed by OS with LUKS Challenges You’re responsible for patching and updates of the database engine and OS Data encryption keys are managed directly on the EC2 instance, and not a dedicated key management system Scaling must be vertical, which is slow and costly LUKS is supported through open-source licensing Support for backup and recovery is LUKS specific, and require additional consideration Might require additional controls to manage unauthorized access at table, row, column or cell level
Note : This approach limits you to only Linux instances and requires the most technical knowledge and effort on your part.Options, such as BitLocker and SQL Server Always Encrypted, exist for Windows hosts, and the complexity and challenges are similar to those of LUKS.Option 6 – Customer-managed database platform hosted on Amazon EC2 with database encryption and key management provided by TDE
In this approach, you’re still responsible for managing the EC2 instances, operating systems, and database engines.However, instead of encrypting the Amazon EBS volume where the database is stored, you use TDE wallet keys managed by the database engine to encrypt and decrypt records as they are stored and retrieved.
Benefits A 1:1 relationship for migration of database engine configuration Table, row, column, and cell level encryption are managed by TDE, reducing end point risks relating to unauthorized access Challenges You’re responsible for patching and updates of the database engine and OS Costly license for TDE feature Data encryption keys are managed directly on the EC2 instance Scaling is dependent on TDE functionality and Amazon EC2 scaling Support is split between AWS and a third-party database vendor Cannot share snapshots
Note : This approach is not available with Amazon RDS.Option 7 – Customer-managed database platform hosted on Amazon EC2 with database encryption performed by TDE and key management provided by CloudHSM
In this approach, you’re still responsible for managing the EC2 instances, operating systems, and database engines.
However, instead of encrypting the Amazon EBS volume where the database is stored, you use TDE wallet keys managed by a CloudHSM cluster to encrypt and decrypt records as they are stored and retrieved.Benefits A 1:1 relationship for migration of database engine configuration Wallet keys (KEK) are managed by a FIPS140-2 Level 3 validated HSM Table, row, column, and cell level encryption are managed by TDE, reducing end point risks relating to unauthorized access Challenges You’re responsible for patching and updates of the database engine and OS Costly license for TDE feature You are responsible for provisioning, configuration, scaling, maintenance, and costs of running CloudHSM cluster Integration and support of CloudHSM with TDE might vary Scaling is dependent on TDE functionality, Amazon EC2 scaling, and CloudHSM cluster.Data encryption keys are managed on EC2 instance Support is split between AWS and a third-party database vendor Cannot share snapshots
Note : This approach is not available with Amazon RDS.Summary
While you can operate in AWS similar to how you operate in your on-premises environment, the preceding configurations and recommendations show how you can significantly reduce your challenges and increase your benefits by using cloud-native security services like AWS KMS , Amazon RDS , and CloudHSM .Specifically, using Amazon RDS with Amazon EBS volumes encrypted by AWS KMS provides a highly scalable, resilient, and secure way to manage your keys in AWS.
While there might be some architectural redesign and configuration work needed to move an on-premises database into Amazon RDS, you can leverage AWS services to help you meet your compliance requirements with less effort.
By offloading the OS and database maintenance responsibility to AWS, you simultaneously reduce operational friction and increase security.By migrating this way, you can benefit from the scalability and resilience of the AWS global infrastructure and expertise.Lastly, to get started with migrating your database to AWS, I encourage you to use the AWS Database Migration Service .
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter .
Jonathan Jenkyn
Jonathan is a Senior Security Growth Strategies Consultant with AWS Professional Services.He’s an active member of the People with Disabilities affinity group, and has built several Amazon initiatives supporting charities and social responsibility causes.Since 1998, he has been involved in IT Security at many levels, from implementation of cryptographic primitives to managing enterprise security governance.Outside of work, he enjoys running, cycling, fund-raising for the BHF and Ipswich Hospital Charity, and spending time with his wife and 5 children.
Scott Conklin
Scott is a Senior Security Consultant with AWS Professional Services (Global Specialty Practice).Based out of Chicago with 4 years tenure, he is an avid distance runner, crypto nerd, lover of unicorns, and enjoys camping, nature, playing Minecraft with his 3 kids, and binge watching Amazon Prime with his wife..