CONTEXT
Cross-account resource sharing is one of the critical operations in AWS. I have elaborated on the solution to grant READ-ONLY RDS database access to an external AWS account.
SOLUTION
DESIGN RATIONALE
1.. VPC Endpoint Service with Private Link
AWS VPC Endpoint Service, powered by PrivateLink, enables secure and effortless connectivity between two VPCs with fine-grained access controls. Unlike VPC peering or Transit Gateway (TGW) integration, which provides broader network access, PrivateLink ensures a more restricted and secure connection.
Check out my article AWS VPC endpoint services for NLB powered by Private Link.
2.. RDS Proxy
- RDS Proxy Read-Only endpoint
The most important requirement is to grant read-only access to the RDS. This can be achieved by creating a database user with SELECT-only privileges at the database level. However, human error could modify these permissions. The RDS Proxy read-only endpoint enforces read-only operations for clients by routing traffic exclusively to read replica instances in the backend. regardless of the user’s database-level permissions, providing an extra layer of protection.
- Static IPs
An RDS Proxy endpoint maintains a static IP address throughout its lifecycle. This allows you to create a target group behind a Network Load Balancer (NLB) using the RDS proxy’s read-only endpoint IPs, enabling consistent and reliable connectivity.
3.. A Secrets Manager encrypted by a CMK
RDS Proxy requires database credentials to connect to the database. These credentials are stored in AWS Secrets Manager and encrypted using a CMK, as they need to be shared with an external account for access.
4.. Lambda function
To enhance security, the database credentials should be rotated on a regular schedule. A Lambda function handles the rotation by updating the credentials both in AWS Secrets Manager and the database.
Once the VPC Endpoint Service is established between two accounts or VPCs, the external account can connect to our database using one of the endpoints provided by the service.
CHALLENGES
Even though IAM authentication is enabled on the RDS cluster, the RDS Proxy (or any client connecting through it) still requires database credentials to establish a connection.
As a standard practice in my organization, we use SSM Parameter Store to manage and store secrets. In this case, using AWS Secrets Manager added an additional layer. To align with our standards, I tried to implement referencing AWS Secrets Manager secrets from Parameter Store parameters. However, the integration was unsuccessful due to a bug, and I have raised a ticket with AWS Support. Currently, there is no ETA for resolution.
If this approach had been successful, we could have created Advanced Tier Parameter Store entries that reference Secrets Manager, making it easy to share them with the external account. This would have reduced direct calls to Secrets Manager from the external application.
- After a successful implementation in the development environment, the same setup encountered issues in production. A user was unable to execute queries when connecting to the RDS via RDS Proxy. The issue was resolved after recreating the RDS Proxy. Contacted AWS Support, although the root cause remains unclear.
Top comments (0)