Fortify Amazon RDS security with automated segmentation

This blog is a continuation of the previous blog post Innovation to Better Protect Amazon RDS: Visualizing New Flows. In this post, I'll explain how to segment your Amazon RDS instances using native AWS controls and Illumio.

‍

Why do we need to secure Amazon RDS?

As we discussed in the previous blog, Amazon Relational Database Service (Amazon RDS) is a managed cloud database service that makes it easier to set up, operate, and scale a relational database in the cloud.  This has resulted in a surge in the number of customers running their production databases in Amazon RDS.

As shown in the previous post, we begin by visualizing the traffic flows in and out of the RDS instance—without agents.  In this post, we will show how we take the next step of enforcing label-based segmentation to control the workloads which can communicate with the RDS service.

Why?  Well, have you ever heard anyone say their production database instance running in Amazon RDS does not need security?

Neither have we.

Segmenting database workloads is vital to security given the sensitivity and importance of the data they hold.  There's a major challenge here since RDS is a managed service - which means the user does not have any control for RDS infrastructure. How can we enforce segmentation policies in such a scenario?

Let's segment

We used a lambda function in our previous post to achieve the visualization of the flows to and from the RDS instance. We will take a similar approach here utilizing Lambda function with VPC flow logs as a trigger. We will also utilize EC2 security groups along with access to RDS in association with Illumio ASP to fortify the security of the Amazon RDS instance.

After enabling the VPC flow log (Figure 1, step 1), the Lambda gets triggered (step 3) on new flow logs (step 2) written to S3. The lambda function pulls the security policy from Illumio PCE (step 4) and then calculates the traffic rules for the RDS instance and updates the security group rules for the Amazon RDS instance (step 5).

After looking at the high-level workflow, let's dive into the step by step approach to achieve this in your environment.

Configuration

AWS Cloud configuration

1. Create a new bucket on S3 console and copy the bucket ARN.
2. Create a Lambda function from the AWS Lambda console and Add trigger by configuring the trigger as S3 bucket created in 1A above. In the Event type select 'All object create events'. The code for the Lambda function and the configuration of the function can be found in the github repo link associated with this blog post.

3. Create a flow log subscription on EC2 Network Interfaces portal, for the RDSNetworkInterface of the RDS instance we want to visualize.
4. In the filter, select All. Select the destination as "Send to an S3 bucket" and enter the S3 Bucket ARN created in 1 above.
5. For the Format, select custom format and add the following attributes: srcaddr dstaddr dstport protocol tcp-flags pkt-srcaddr pkt-dstaddr srcport action type
6. Illumio configuration:
7. Create an Unmanaged workload for each RDS instance for which you'd like to visualize connectivity and security policy and add the necessary IP address information.
8. Create a Virtual service with the FQDN and port of the RDS service endpoint and pair the unmanaged workload with this Virtual service.
9. Create an unmanaged workload or pair a managed workload for each EC2 instance that will communicate with the RDS endpoint.
10. Write a security policy that applies to the RDS virtual service and the workloads as shown in the image below.

Data Plane

There is nothing additional we have to do for the data plane. When the Amazon RDS instances generate or receive the data, flow logs will be generated and logged in Amazon S3 which will trigger the Lambda function.

Control Plane

For the enforcement part, the lambda will fetch the preset ruleset from Illumio ASP for the given RDS instance. It will then parse the policy rules and decipher the workloads which need to communicate with the Amazon RDS. After this, any changes to Illumio segmentation policy will be dynamically updated by the AWS Lambda function in the EC2 security group rules. Subsequently, the AWS Lambda function will disassociate the Amazon RDS instance from its existing security group and associate it with the Illumio managed EC2 security group. After this, any changes to Illumio segmentation policy will be dynamically updated by the AWS Lambda function in the EC2 security group rules.

Demo

8:39

Benefits

We started the blog discussing the importance of visualizing the Amazon RDS traffic and the necessity to secure the traffic to Amazon RDS due to the sensitivity and the importance of the data it holds. Let's see the advantages of our approach:

• Being able to implement the segmentation policy based on the visualization map of the traffic flows to and from the Amazon RDS
• Using native Amazon EC2 security groups in combination with Illumio's Adaptive Segmentation platform
• Dynamically utilizing VPC flow logs using AWS Lambda to achieve tamper protection of the enforced segmentation rules
• Ability to scale the AWS Lambda function to span multiple Amazon RDS instances

In Conclusion

All in all, I hope we have achieved our common goal of illuminating Amazon RDS and getting a better view of the segmentation policy, needed to secure it in our previous post. In this post, we then went ahead and enforced the segmentation policy from Illumio ASP on Amazon RDS using AWS Lambda and Amazon EC2.

If you are looking to understand and explore more about Illumio, please feel free to get in touch with us by subscribing to our blog post or you can visit this link to learn more: https://www.illumio.com/what-we-do.