Your organization’s data is one of its key competitive advantages. Without data, there’s nothing to differentiate you from your competition. This makes your data, and the databases it lives in, some of the most important resources in your environment.
Common Fate’s on-demand secure database access for Amazon RDS is a secure way to dynamically grant time-limited access to your databases, without ever exposing them to the internet.
The AWS cloud has put the best technology and resources within reach of all companies, but the downside is that everyone can access a public cloud. This means you need to take responsibility (as part of the shared responsibility model) for securing access to your data.
Accessing databases in the cloud
AWS strongly recommends not making your RDS database instance publicly accessible, but it’s still technically possible to do it. This holdover from the pre-VPC era of AWS meant that it was unfortunately easy to configure your database to be accessible from anywhere on the internet, and many customers did so without fully realizing what they were doing.
Even today, with most security standards and software flagging RDS instances with public IP addresses as a critical issue, accessing databases commonly involves a jump or bastion host in EC2, that must be publicly accessible to be useful. This pattern is an improvement over the direct-access approach to database security, but now that bastion host becomes a cost in terms of compute, management, and maintenance, and becomes an attack target itself.
Common Fate’s and Granted’s RDS integration makes this a solved problem, by allowing approval-based, time-limited access to databases without needing to make ANY resources publicly accessible.
Common Fate’s proxy service takes care of the heavy lifting required to securely access your RDS instances, and removes access after the grant expires, saving you compute charges and reducing the attack surface of your AWS environment, with no ongoing effort. In the background, it seamlessly provisions an Amazon ECS task that securely proxies a connection to your RDS instance, without requiring any of your AWS resources to be publicly accessible. Common Fate configures the required permissions in AWS IAM Identity Center, so that access is only available while the grant is approved, and removed when it expires. Locally on your machine, granted
sets up a port forwarding connection via AWS Systems Manager Session Manager that allows you to connect with your database client of choice (such as a CLI or GUI tool) to your database.
Benefits
- Never any public access to the RDS instance
- Never any public access to the bastion host
- No shared or standing access
- Uses the database's native authentication methods
- Real-time visibility of SQL-level commands
- Ephemeral bastion means no ongoing management overhead, such as patching
- Reduced compute costs due to ephemeral bastion
Steps
Requirements
- Use the Common Fate access management platform
- Have Granted.dev installed and configured locally for access management
- Deploy the Common Fate Proxy on ECS module in the account with the database
- The proxy must have outbound internet access to be able to talk to SM Session Manager
- Configure the RDS database you want to connect to
- Ensure the Common Fate Terraform provider is configured to allow it to provision permission sets on demand
Request access
Request access via CommonFate.io using granted
. As part of this process, you will be prompted to select the database you wish to connect to, as configured in your Common Fate configuration:
$ granted rds proxy
[WILL ACTIVATE] Root access to Demo MySQL Database will be activated for 1h: https://mydemo.domain.io/access/requests/req_12345abcde
? Apply proposed access changes (y/N) Yes
[WILL ACTIVATE] Root access to Demo MySQL Database will be activated for 1h: https://mydemo.domain.io/access/requests/req_12345abcde
? Apply proposed access changes (y/N) Yes
[i] Attempting to grant access...
? Reason for access (Required) Demo time!
[ACTIVATED] Root access to Demo MySQL Database was activated for 1h: https://mydemo.domain.io/access/requests/req_12345abcde
In this case the access was approved automatically because it was a pre-approved entitlement.
Authenticate with Identity Center
Now that permission to access the database has been granted, you need to authenticate with AWS IAM Identity Center (IDC), just like you would normally:
[i] If the browser does not open automatically, please open this link: https://device.sso.us-west-2.amazonaws.com/?user_code=ABCD-1234
[i] Awaiting AWS authentication in the browser
[i] You will be prompted to authenticate with AWS in the browser, then you will be prompted to 'Allow'
[i] Code: ABCD-1234
[i] Awaiting AWS authentication in the browser
[i] You will be prompted to authenticate with AWS in the browser, then you will be prompted to 'Allow'
[i] Code: ABCD-1234
If you’ve already got an active and authenticated session with IDC, then this step will be seamless. Once completed, you will have access to the permission set configured by Common Fate to access the database via the proxy. This permission set is specific to the user that requested it, so you don’t need to worry about misuse.
Automatically configured port forwarding
Now that your permission to use AWS Systems Manager Session Manager is active, granted
will automatically start forwarding your local port to the database via Session Manager, which removes the need for internet-accessible ports to be configured:
[i] Database proxy ready for connections on 127.0.0.1:3306
[i] You can connect now using this connection string: test:password@tcp(127.0.0.1:3306)/test
[i] Or using the mysql cli: mysql -u test -p'password' -h 127.0.0.1 -P 3306 test
[i] You can connect now using this connection string: test:password@tcp(127.0.0.1:3306)/test
[i] Or using the mysql cli: mysql -u test -p'password' -h 127.0.0.1 -P 3306 test
Connect to the database
At this stage, you can use your database client of choice to connect to your database, with the appropriate credentials. For this example, we’re using the mysql
CLI client, but this could easily be a GUI client by using a connection string instead:
$ mysql -u test -p'password' -h 127.0.0.1 -P 3306 test
Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 10002Server version: 5.7.0 Source distribution
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 10002Server version: 5.7.0 Source distribution
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
This example is only using demo credentials! Hopefully you have a much more robust password for your data.
Note: In this example, we used a password to connect to the database to keep things simple. Keep in mind that using passwords like this is disabled in MySQL 9.0 and later.
To see just how quick and easy this process is, here it is in all its animated glory!
In this example, I was already authenticated to AWS IDC from some earlier sessions in the day, so the process was even easier and faster.
Summary
Accessing databases is a common and business-critical activity for businesses in the cloud. The sensitivity and value of your data means you should take appropriate precautions with it, and never allow it to be accessed over the public internet.
As cloud technology services evolve, previous “best practices” like bastion hosts become no longer appropriate. By using AWS services like AWS Systems Manager Session Manager with AWS IAM Identity Center and Common Fate, you can provision secure access, while keeping your public-facing attack surface at an absolute minimum. This approach has the added benefit in the pay-as-you-go public cloud like AWS of reducing costs, as you’re not running a bastion host when you don’t need it.
For more detailed diagrams and configuration, check out the official documentation for the AWS RDS connection for Common Fate.