Innovation to Better Protect Amazon RDS: Visualizing New Flows

In this blog, we will explain how to better protect AWS RDS by visualizing new flows and see what must be secured with segmentation policy. This is an extension of earlier project: https://labs.illumio.com/aws-cloud-connectivity-visualization

Why do we need visualization for Amazon RDS?

Amazon Relational Database Service (Amazon RDS) is a managed cloud database service which has seen large adoption in recent years. Its ease of use and accessibility can lead serious concerns that the managed database service is only accessed by the necessary workloads and not exploited in any attacks or data breaches.

As the adage goes, you have to see it to protect it, so we must first visualize new flows to and from the Amazon RDS instance to protect it. To date, that has been a big challenge to solve considering Amazon RDS is a completely managed service. For this reason the Labs team has set out to alleviate this problem for the Amazon RDS community.

Let's get some illumination

In the times of serverless, we often rely on Lambda functions, which simplify building small, on-demand applications that are responsive to events. In our case, these functions let us visualize Amazon RDS traffic. We can quickly deploy the Lambda function which uses the VPC flow logs and Amazon Simple Storage Service (S3) in association with Illumio Adaptive Security Platform (ASP).

For visualization to work, we need the new traffic flow data originating to or from the Amazon RDS instance. To get that data, AWS provides VPC flow logs. After enabling the VPC flow log (Figure 1, step 1), the Lambda gets triggered (step 3) on new flow logs being written to S3 (step 2) and pushes the traffic flow event to Illumio ASP via a simple API call (step 4). Once the traffic logs are ingested by ASP we get the full traffic and security policy visualization (step 5).

Demo

Now that we have looked at the high level workflow, let's look at the integration in action with a short video. After the video, you'll find the step by step approach to deploy this in your environment.

6:36

Configuration

AWS Cloud configuration

1. Create a new bucket on S3 console and copy the bucket ARN.
2. Create a Lambda function from the AWS Lambda console and Add trigger by configuring the triggeras S3 bucket created in 1A above. In the Event type select 'All object create events'. The code for the Lambda function and the configuration of the function can be found at the GitHub link associated with this blog post. An example configuration is shown below.

3. Create a flow log subscription on EC2 Network Interfaces portal, for the RDSNetworkInterface of the RDS instance we want to visualize.
4. In the filter, select All. Select the destination as "Send to an S3 bucket" and enter the S3 Bucket ARN created in 1 above.
5. For the Format, select custom format and add the following attributes: srcaddr dstaddr dstport protocol tcp-flags pkt-srcaddr pkt-dstaddr srcport action type
6. Illumio configuration:
7. Create an Unmanaged workload for each RDS instance for which you'd like to visualize connectivity and security policy
8. Create a Virtual service with the FQDN and port of the RDS service endpoint and pair the unmanaged workload with this Virtual service
9. Create a unmanaged workload or pair a managed workload for each EC2 instance that will communicate with the RDS endpoint
10. Write a security policy that applies to the RDS virtual service and the workloads

DATA PLANE

There is nothing additional we have to do for the data plane. When the instances generate or receive the data, flow logs will be generated and logged at Amazon Simple Storage Service.

CONTROL PLANE

All the magic to visualize the traffic flow between the Amazon RDS instance and EC2 instances happens here. When a flow log is received by the VPC flow logs - it writes that to a file in Amazon S3 and the Lambda function associated with this trigger is executed. The lambda function parses the flow log and uses Illumio bulk_traffic_flows REST API to upload the flow logs to Illumio ASP. Since we had previously configured the Illumio Virtual service and Unmanaged workload for Amazon RDS instance and AWS EC2 instances, Illumio ASP will build and visualize the traffic flows. We should be able to view the Application dependency map for the environment from the GUI now.

Conclusion

We discussed the importance of visualizing traffic to Amazon RDS at the beginning of this blog and the lack of tools to do so. We explained how you could visualize all AWS traffic flows using Illumio's application dependency map to understand the security posture of the cloud environment for managed services like Amazon RDS and for AWS EC2. We could use a simple AWS Lambda function and powerful Illumio ASP programming capabilities to achieve our goals. Let's see if we have solutions to the challenges we started with:

Q: Can we get visualization for AWS managed services like Amazon RDS?
A: Yes, with the help of VPC flow logs and AWS Lambda, we can get visualization for AWS managed services like Amazon RDS.

Q: What is Amazon RDS communicating with?
A: The Illumination view provided us a collective picture called Application Dependency Map of all the flows between various labeled entities (including virtual services, managed and unmanaged workloads), giving additional context about the RDS virtual service and the flows.

Q: How to secure those communication paths?
A: Illumination also provides a powerful segmentation policy tool to verify and test policies for workloads and virtual services.

All in all, we have achieved our goal of illuminating Amazon RDS and getting a better view of the segmentation policy, needed to secure it. In the next project, we will see how can we dynamically secure Amazon RDS with Illumio ASP.

If you are looking to understand and explore more about Illumio, please feel free to get in touch with us by subscribing to our blog post on https://labs.illumio.com or you can visit this link to learn more: https://www.illumio.com/what-we-do.

‍