RDS vs DynamoDB - Compliance, security and other considerations.

0

I am building an application that involves handling PII and also saves tokens that connect to external services. I was told that I have to use RDS Postgres Aurora Serverless V2 for this cos it is more secure than DynamoDB. It's also what an auditor is expecting to see, as "structured data looks better than NoSQL".

However I have been pushing back as an RDS service is more cumbersome to build, unless you use the Data Api - which is not available at our region. Cumbersome cos you need to set VPC, subnet, security groups, put your lambdas in the same SG, etc.

Also the fact that in CDK RDS is not encrypted at rest by default, makes me think the DynamoDB is more security focused, which by default is encrypted at rest.

From what I've read DynamoDB can be as secure and easier to manage and the main difference is basically the access patterns of the application. So if the application is very write heavy it might be preferable to go the RDS route, however I'm pretty sure that with the right architecture and options even this wouldn't be a problem for DynamoDB.

Can anyone please advise?

Many thanks in advance, Angel

  • please accept the answer if it was useful

3 Answers
0

Hi,

These ones may help you in establishing a list of pros and cons:

The best choice is always really dependent on your use case. So, the best it to appreciate the pros and the cons that you read in the context of your project: you must weigh them in your specific context.

Best,

Didier

profile pictureAWS
EXPERT
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
  • Thank you for taking the time to respond. However none of these articles even mention the word "security". From your experience is there a concrete reason to use RDS over DynamoDB, especially for security reasons?

  • Hi Angel, re. security, I will say that DDB is better than Aurora if you consider a global perspective. In Aurora, the security happens via GRANTs in the dbms. In DDB, it happens via IAM only. Security via GRANTs is disconnected from the rest of your AWS security. If you use IAM all over the place, then you have a consistent security mechanism across the board (db, Fargate, Lambdaa, EC2, etc.). That improves your security posture and simplify your compliance approvals: the entire security is made through a unified pane of glass. Additionally, you benefit from the IAM eco-system: CloudTrail, IAM Access Analyzer, GuardDirty, etc. You lose all this when you make security via GRANTs in the rdbms.

  • Hi Didier, this is an excellent point!

    It took me a while to "compute" this, as I have been using the "grantRead()" method on the secret for the RDS in CDK.

    However you are referring to the SQL "GRANT" command! This and the fact the you need to create credentials that then need to go on your lambdas in order to connect to the DB server, is definitely a step backwards for security.

0

DynamoDB is secure enough, and you can use it. You have encryption (at rest and in transit). You can also use VPC endpoint to send traffic to DynamoDB via the internal network

https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

Authentication is managed by IAM.

Just keep in mind that this is vendor lock

profile picture
EXPERT
answered 4 months ago
profile pictureAWS
EXPERT
SriniV
reviewed 4 months ago
profile picture
EXPERT
reviewed 4 months ago
  • I like the sound of PrivateLink and it's compatible with both DynamoDB and Lambda! I'll look more into this, thanks!

0

I suggest you also consider the likely counterarguments from the proponents of using Aurora PostgreSQL over DynamoDB.

DynamoDB is a multi-tenant service with APIs open to the public internet. Even if your workloads access it securely within AWS and using a VPC gateway endpoint (a type of PrivateLink connection), your DynamoDB tables will still be fully accessible from anywhere on the public internet, with only authentication and potential authorisation rules (including indirectly by restricting access to the KMS keys with which your table's data keys are encrypted) that you set up to limit access.

By contrast, an RDS/Aurora database resides in the VPC where you created it. Unless you configure an internet-exposed interface for the RDS database (with the "publicly accessible" option), then in addition to the authentication and authorisation to the database and the tables it contains, any outsider would additionally need access to the VPC even to attempt to connect to the RDS/Aurora database. Inside the VPC, security groups and NACLs could be used to restrict access even further.

Generally speaking, it's entirely possible that an auditor would be concerned about the data being possible to access from any location on the public internet.

However, you can also configure network perimeter protections for a DynamoDB table. It just doesn't happen by itself the way it appears to do with an RDS/Aurora database placed inside a VPC. With DynamoDB, you can attach an identity-based IAM policy to the principals in your account, and/or a resource-based policy to your DynamoDB table to limit certain or all principals to accessing it only from authorised VPCs (when passing through a VPC endpoint/PrivateLink connection) or IP addresses (when accessing from the public internet, such as for human users to access it via the management console, unless the console is also accessed via a VPC endpoint).

You can restrict access to the DynamoDB table with policy statements that inspect request context condition keys indicating the network origin of the request, such as aws:SourceVpc (indicates the VPC ID that owns the endpoint/PrivateLink connection) and aws:SourceIp (the source IP when the request is received over the public internet). It's useful to set the rules carefully, because they can lock you out of your table just as effectively as they can outsider.

The condition keys for filtering by network origin are in this section of documentation for IAM: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip

There's also a blog post series about different ways of controlling access to AWS resources with policies. Of that series, this part discusses network-based restrictions, along with practical examples: https://aws.amazon.com/blogs/security/establishing-a-data-perimeter-on-aws-allow-access-to-company-data-only-from-expected-networks/

EXPERT
Leo K
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions