Oracle on Amazon RDS
Amazon RDS supports DB instances running one of several editions of Oracle Database. You can create DB instances and DB snapshots, point-in-time restores and automated or manual backups. DB instances running Oracle can be used inside a VPC. You can also enable various options to add additional features to your Oracle DB instance. Amazon RDS currently supports Multi-AZ deployments for Oracle as a high-availability, failover solution.
Amazon RDS currently supports the following versions of Oracle:
In order to deliver a managed service experience, Amazon RDS does not provide shell access to DB instances, and it restricts access to certain system procedures and tables that require advanced privileges. Amazon RDS supports access to databases on a DB instance using any standard SQL client application such as Oracle SQL Plus. Amazon RDS does not allow direct host access to a DB instance via Telnet or Secure Shell (SSH).
When you create a DB instance, the master account that you use to create the instance gets DBA user privileges (with some limitations). Use this account for any administrative tasks such as creating additional user accounts in the database. The SYS user, SYSTEM user, and other administrative accounts are locked and cannot be used.
Before creating a DB instance, you should complete the steps in the Setting Up for Amazon RDS section of this guide.
Common Management Tasks for Oracle on Amazon RDS
The following are the common management tasks you perform with an Amazon RDS Oracle DB instance, with links to relevant documentation for each task.
|Task Area||Relevant Documentation|
Instance Classes, Storage, and PIOPS
If you are creating a DB instance for production purposes, you should understand how instance classes, storage types, and Provisioned IOPS work in Amazon RDS.
A production DB instance should use Multi-AZ deployments. Multi-AZ deployments provide increased availability, data durability, and fault tolerance for DB instances.
Virtual Private Cloud (VPC)
If your AWS account has a default VPC, then your DB instance is automatically created inside the default VPC. If your account does not have a default VPC, and you want the DB instance in a VPC, you must create the VPC and subnet groups before you create the DB instance.
By default, DB instances are created with a firewall that prevents access to them. You therefore must create a security group with the correct IP addresses and network configuration to access the DB instance. The security group you create depends on what EC2 platform your DB instance is on, and whether you will be accessing your DB instance from an EC2 instance.
In general, if your DB instance is on the EC2-Classic platform, you will need to create a DB security group; if your DB instance is on the EC2-VPC platform, you will need to create a VPC security group.
If your DB instance is going to require specific database parameters, you should create a parameter group before you create the DB instance.
If your DB instance is going to require specific database options, you should create an option group before you create the DB instance.
Connecting to Your DB Instance
After creating a security group and associating it to a DB instance, you can connect to the DB instance using any standard SQL client application such as Oracle SQL Plus.
Backup and Restore
You can configure your DB instance to take automated backups, or take manual snapshots, and then restore instances from the backups or snapshots.
You can monitor an Oracle DB instance by using CloudWatch Amazon RDS metrics, events, and enhanced monitoring.
You can access the log files for your Oracle DB instance.
There are also advanced tasks and optional features for working with Oracle DB instances. For more information, see the following documentation:
For information on common DBA tasks for Oracle on Amazon RDS, see Common DBA Tasks for Oracle DB Instances.
For information on Oracle GoldenGate support, see Using Oracle GoldenGate with Amazon RDS.
For information on Siebel Customer Relationship Management (CRM) support, see Installing a Siebel Database on Oracle on Amazon RDS.
Limits for Oracle DB Instances
DB Instances Class Restrictions for Oracle Databases
Some instance classes do not work well with Oracle databases because the system resources allocated to the DB instance do not meet the recommended configuration for an Oracle database. For example, the db.t1.micro DB instance class has limited resources and is recommended for testing only. If you choose to use a "micro" DB instance class with Oracle, you should use a db.t2.micro DB instance class. For more information about DB instance classes, see DB Instance Class.
The "micro" DB instance classes only support certain versions. The following versions are supported:
The db.t1.micro DB instance class only supports Oracle versions 126.96.36.199, 188.8.131.52, and 184.108.40.206.
The db.t2.micro DB instance class is recommended for use with Oracle versions 220.127.116.11 and 18.104.22.168.
Oracle 12c with Amazon RDS
Amazon RDS supports Oracle version 12c, such as Oracle version 22.214.171.124.v2. Oracle version 126.96.36.199.v2 is the latest supported version and includes Oracle Enterprise Edition and Oracle Standard Edition Two. Oracle version 12c brings over 500 new features and updates from the previous version. This section covers the features and changes important to using Oracle 12c on Amazon RDS. For a complete list of the changes, see the Oracle 12c documentation.
Oracle 12c includes sixteen new parameters that impact your Amazon RDS DB instance, as well as eighteen new system privileges, several no longer supported packages, and several new option group settings. The following sections provide more information on these changes.
Amazon RDS Parameter Changes for Oracle 12c
Oracle 12c includes sixteen new parameters in addition to several parameters with new ranges and new default values.
The following table shows the new Amazon RDS parameters for Oracle 12c:
CONNECTION_BROKERS = broker_description[,...]
Specifies connection broker types, the number of connection brokers of each type, and the maximum number of connections per broker.
TABLESPACE, TABL, ALL, NONE
Displays the options that are set for table or tablespace level compression inheritance.
Specifies the cache section target size for automatic big table caching, as a percentage of the buffer cache.
Enables the database to track read and write access of all segments, as well as modification of database blocks, due to data manipulation language (DML) and data definition language (DDL) statements.
INMEMORY_CLAUSE_DEFAULT enables you to specify a default In-Memory Column Store (IM column store) clause for new tables and materialized views.
NO MEMCOMPRESS,MEMCOMPRESS FOR DML,MEMCOMPRESS FOR QUERY, MEMCOMPRESS FOR QUERY LOW,MEMCOMPRESS FOR QUERY HIGH,MEMCOMPRESS FOR CAPACITY,MEMCOMPRESS FOR CAPACITY LOW,MEMCOMPRESS FOR CAPACITY HIGH
PRIORITY LOW,PRIORITY MEDIUM,PRIORITY HIGH,PRIORITY CRITICAL,PRIORITY NONE
INMEMORY_FORCE allows you to specify whether tables and materialized view that are specified as INMEMORY are populated into the In-Memory Column Store (IM column store) or not.
INMEMORY_MAX_POPULATE_SERVERS specifies the maximum number of background populate servers to use for In-Memory Column Store (IM column store) population, so that these servers do not overload the rest of the system.
ENABLE (default), DISABLE
INMEMORY_QUERY is used to enable or disable in-memory queries for the entire database at the session or system level.
INMEMORY_SIZE sets the size of the In-Memory Column Store (IM column store) on a database instance.
0 to 50
INMEMORY_TRICKLE_REPOPULATE_SERVERS_PERCENT limits the maximum number of background populate servers used for In-Memory Column Store (IM column store) repopulation, as trickle repopulation is designed to use only a small percentage of the populate servers.
STANDARD (default), EXTENDED
Controls the maximum size of VARCHAR2, NVARCHAR2, and RAW.
TRUE (default), FALSE
Enables or disables all of the adaptive optimizer features.
Controls reporting-only mode for adaptive optimizations.
Maps names of existing files to new file names.
1-max of memory
Specifies a limit on the aggregate PGA memory consumed by the instance.
Instructs the database instance to run itself within the specified operating system processor group.
Enables or disables the spatial vector acceleration, part of spacial option.
Determines whether transactions within a particular session can have a temporary undo log.
Enables the multithreaded Oracle model, but prevents OS authentication.
1 MB - 30 MB
Specifies the size of SGA queue for unified auditing.
Determines how dedicated servers are spawned.
Several parameter have new value ranges for Oracle 12c on Amazon RDS. The following table shows the old and new value ranges:
os | db [, extended] | xml [, extended]
os | db [, extended] | xml [, extended] | true | false
Starts with 11.0.0
Starts with 10.0.0
PERMITTED | PREFERRED | ALWAYS | IGNORE | FORCE
PERMITTED | ALWAYS | IGNORE | FORCE
8.0.0 to 188.8.131.52
8.0.0 to 184.108.40.206
0 to parallel_max_servers
CPU_COUNT * PARALLEL_THREADS_PER_CPU * 2 to parallel_max_servers
One parameters has a new default value for Oracle 12c on Amazon RDS. The following table shows the new default value:
Oracle 12c Default Value
Oracle 11g Default Value
Amazon RDS System Privileges for Oracle 12c
Several new system privileges have been granted to the system account for Oracle 12c. These new system privileges include:
ALTER ANY CUBE BUILD PROCESS
ALTER ANY MEASURE FOLDER
ALTER ANY SQL TRANSLATION PROFILE
CREATE ANY SQL TRANSLATION PROFILE
CREATE SQL TRANSLATION PROFILE
DROP ANY SQL TRANSLATION PROFILE
EM EXPRESS CONNECT
EXEMPT DDL REDACTION POLICY
EXEMPT DML REDACTION POLICY
EXEMPT REDACTION POLICY
REDEFINE ANY TABLE
SELECT ANY CUBE BUILD PROCESS
SELECT ANY MEASURE FOLDER
USE ANY SQL TRANSLATION PROFILE
Amazon RDS Options for Oracle 12c
Several Oracle option changed between Oracle 11g and Oracle 12c, though most of the options remain the same between the two versions. The Oracle 12c changes include:
Oracle Enterprise Manager Express (EM Express) replaced Oracle Enterprise Manager DB Control. For more information see Oracle Database 12c: EM Database Express.
The option XMLDB is installed by default in Oracle 12c. It is no longer an option that you need to install.
The Oracle APEX Listener has been renamed to Oracle Rest Data Service (ORDS). ORDS is installed on a separate EC2 instance just as the APEX Listener was in version 11g. The process for installing ORDS is not the same as when installing APEX Listener. For instructions on installing ORDS, see Oracle APEX on Amazon RDS Oracle 12c.
APEX and APEX Dev no longer have a dependency on XMLDB since XMLDB is installed by default.
Amazon RDS PL/SQL Packages for Oracle 12c
Oracle 12c includes a number of new built-in PL/SQL packages. The packages included with Amazon RDS Oracle 12c include the following:
The CTX_ANL package is used with AUTO_LEXER and provides procedures for adding and dropping a custom dictionary from the lexer.
The DBMS_APP_CONT package provides an interface to determine if the in-flight transaction on a now unavailable session committed or not, and if the last call on that session completed or not.
The DBMS_AUTO_REPORT package provides an interface to view SQL Monitoring and Real-time Automatic Database Diagnostic Monitor (ADDM) data that has been captured into Automatic Workload Repository (AWR).
The DBMS_GOLDENGATE_AUTH package provides subprograms for granting privileges to and revoking privileges from GoldenGate administrators.
The DBMS_HEAT_MAP package provides an interface to externalize heatmaps at various levels of storage including block, extent, segment, object and tablespace.
The DBMS_ILM package provides an interface for implementing Information Lifecycle Management (ILM) strategies using Automatic Data Optimization (ADO) policies.
The DBMS_ILM_ADMIN package provides an interface to customize Automatic Data Optimization (ADO) policy execution.
The DBMS_PART package provides an interface for maintenance and management operations on partitioned objects.
The DBMS_PRIVILEGE_CAPTURE package provides an interface to database privilege analysis.
The DBMS_QOPATCH package provides an interface to view the installed database patches.
The DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from queries issued by low-privileged users or an application.
The DBMS_SPD package provides subprograms for managing SQL plan directives (SPD).
The DBMS_SQL_TRANSLATOR package provides an interface for creating, configuring, and using SQL translation profiles.
The DBMS_SQL_MONITOR package provides information about real-time SQL Monitoring and real-time Database Operation Monitoring.
The DBMS_SYNC_REFRESH package provides an interface to perform a synchronous refresh of materialized views.
The DBMS_TSDP_MANAGE package provides an interface to import and manage sensitive columns and sensitive column types in the database, and is used in conjunction with the DBMS_TSDP_PROTECT package with regard to transparent sensitive data protection (TSDP) policies. DBMS_TSDP_MANAGE is available with the Enterprise Edition only.
The DBMS_TSDP_PROTECT package provides an interface to configure transparent sensitive data protection (TSDP) policies in conjunction with the DBMS_TSDP_MANAGE package. DBMS_TSDP_PROTECT is available with the Enterprise Edition only.
The DBMS_XDB_CONFIG package provides an interface for configuring Oracle XML DB and its repository.
The DBMS_XDB_CONSTANTS package provides an interface to commonly used constants. Users should use constants instead of dynamic strings to avoid typographical errors.
The DBMS_XDB_REPOS package provides an interface to operate on the Oracle XML database Repository.
The DBMS_XMLSCHEMA_ANNOTATE package provides an interface to manage and configure the structured storage model, mainly through the use of pre-registration schema annotations.
The DBMS_XMLSTORAGE_MANAGE package provides an interface to manage and modify XML storage after schema registration has been completed.
The DBMS_XSTREAM_ADM package provides interfaces for streaming database changes between an Oracle database and other systems. XStream enables applications to stream out or stream in database changes.
The DBMS_XSTREAM_AUTH package provides subprograms for granting privileges to and revoking privileges from XStream administrators.
The UTL_CALL_STACK package provides an interface to provide information about currently executing subprograms.
Oracle 12c Features Not Supported
The following features are not supported for Oracle 12c on Amazon RDS:
Automated Storage Management
Data Guard / Active Data Guard
Real Application Clusters (RAC)
Several Oracle 11g PL/SQL packages are not supported in Oracle 12c. These packages include:
Oracle 11g with Amazon RDS
The following list shows the Oracle 11g features supported by Amazon RDS; for a complete list of features supported by each Oracle 11g edition, go to Oracle Database 11g Editions.
Flashback Table, Query and Transaction Query
Virtual Private Database
Comprehensive support for Microsoft .NET, OLE DB, and ODBC
Automatic Memory Management
Automatic Undo Management
Star Query Optimization
Summary Management - Materialized View Query Rewrite
Oracle Data Redaction (version 220.127.116.11 or later)
Import/Export and sqlldr Support
Oracle Enterprise Manager Database Control
Oracle XML DB (without the XML DB Protocol Server)
Oracle Application Express
Automatic Workload Repository for Enterprise Edition (AWR). For more information, see Working with Automatic Workload Repository (AWR)
Datapump (network only)
Native network encryption (part of the Oracle Advanced Security feature)
Transparent data encryption (Oracle TDE, part of the Oracle Advanced Security feature)
The following features are not supported for Oracle 11g on Amazon RDS:
Real Application Clusters (RAC)
Real Application Testing
Data Guard / Active Data Guard
Oracle Enterprise Manager Grid Control
Automated Storage Management
Oracle Label Security
Oracle XML DB Protocol Server
Network access utilities such as utl_http, utl_tcp, and utl_smtp are not supported at this time.
The Oracle database engine uses role-based security. A role is a collection of privileges that can be granted to or revoked from a user. A predefined role, named DBA, normally allows all administrative privileges on an Oracle database engine. The following privileges are not available for the DBA role on an Amazon RDS DB instance using the Oracle engine:
Create any directory
Drop any directory
Grant any privilege
Grant any role
When you create a DB instance, the master account that you use to create the instance gets DBA user privileges (with some limitations). Use this account for any administrative tasks such as creating IAM user accounts. The SYS user, SYSTEM user, and other administrative accounts are locked and cannot be used.
Amazon RDS Oracle supports SSL/TLS encrypted connections as well as the Oracle Native Network Encryption (NNE) option to encrypt connections between your application and your Oracle DB instance. For more information about using SSL with Oracle on Amazon RDS, see Using SSL with an Oracle DB Instance. For more information about the Oracle Native Network Encryption option, see Oracle Native Network Encryption.
Using SSL with an Oracle DB Instance
Secure Sockets Layer (SSL) is an industry standard protocol used for securing network connections between client and server. After SSL version 3.0, the name was changed to Transport Layer Security (TLS), but it is still often referred to as SSL and we refer to the protocol as SSL. Amazon RDS supports SSL encryption for Oracle DB instances. Using SSL, you can encrypt a connection between your application client and your Oracle DB instance. SSL support is available in all AWS regions for Oracle.
You enable SSL encryption for an Oracle DB instance by adding the Oracle SSL option to the option group associated with the DB instance. Amazon RDS uses a second port, as required by Oracle, for SSL connections which allows both clear text and SSL-encrypted communication to occur at the same time between a DB instance and an Oracle client. For example, you can use the port with clear text communication to communicate with other resources inside a VPC while using the port with SSL-encrypted communication to communicate with resources outside the VPC.
For information about enabling the Oracle SSL option and configuring an Oracle client to use SSL, see Oracle SSL.
You cannot use both SSL and Oracle native network encryption (NNE) on the same instance. If you use SSL encryption, you must disable any other connection encryption.
Oracle Version Management
DB Engine Version Management is a feature of Amazon RDS that enables you to control when and how the database engine software running your DB instances is patched and upgraded. This feature gives you the flexibility to maintain compatibility with database engine patch versions, test new patch versions to ensure they work effectively with your application before deploying in production, and perform version upgrades on your own terms and timelines.
Amazon RDS periodically aggregates official Oracle database patches using an Amazon RDS-specific DB Engine version. To see a list of which Oracle patches are contained in an Amazon RDS Oracle-specific engine version, go to Appendix: Oracle Database Engine Release Notes.
Taking advantage of the DB Engine Version Management feature of Amazon RDS is easily accomplished by using the AWS Management Console, the Amazon RDS API ModifyDBInstance action, or the AWS CLI modify-db-instance command.
Deprecation of Oracle 18.104.22.168 and 22.214.171.124
In 2017, Amazon RDS is retiring support for Oracle versions 126.96.36.199 and 188.8.131.52. Oracle is no longer providing patches for these versions. Therefore, to provide the best experience for AWS customers, we are retiring these versions.
We recommend that as soon as possible, you upgrade any DB instances that use Oracle version 184.108.40.206 or 220.127.116.11 to Oracle version 18.104.22.168. For instructions on how to upgrade an Oracle DB instance, see Upgrading the Oracle DB Engine.
Amazon RDS also supports Oracle version 12c. For more information, see Oracle 12c with Amazon RDS.
Amazon RDS will retire support for Oracle versions 22.214.171.124 and 126.96.36.199 according to the following schedule.
August 1, 2016
You can no longer create DB instances that use Oracle version 188.8.131.52 or 184.108.40.206.
February 1 - February 22, 2017
DB instances that use Oracle version 220.127.116.11 will be automatically scheduled for an upgrade to version 18.104.22.168 during the next maintenance window.
March 1 - March 15, 2017
DB instances that use Oracle version 22.214.171.124 will be automatically scheduled for an upgrade to version 126.96.36.199 during the next maintenance window.
March 7 - March 14, 2017
Any remaining DB instances that use Oracle version 188.8.131.52 will be immediately upgraded to version 184.108.40.206.
April 12 - April 19, 2017
Any remaining DB instances that use Oracle version 220.127.116.11 will be immediately upgraded to version 18.104.22.168.
Deprecation of Oracle 22.214.171.124
In 2017, Amazon RDS is retiring support for Oracle version 126.96.36.199. Oracle is no longer providing patches for this version. Therefore, to provide the best experience for AWS customers, we are retiring this version.
We recommend that as soon as possible, you upgrade any DB instances that use Oracle version 188.8.131.52 to Oracle version 184.108.40.206. For instructions on how to upgrade an Oracle DB instance, see Upgrading the Oracle DB Engine.
Amazon RDS will retire support for Oracle version 220.127.116.11 according to the following schedule.
DB instances that use Oracle version 18.104.22.168 will be automatically scheduled for an upgrade to version 22.214.171.124 during the next maintenance window.
Any remaining DB instances that use Oracle version 126.96.36.199 will be immediately upgraded to version 188.8.131.52.
There are two licensing options available for Amazon RDS for Oracle; License Included and Bring Your Own License (BYOL). After you create an Oracle DB instance on Amazon RDS, you can change the licensing model by using the AWS Management Console, the Amazon RDS API ModifyDBInstance action, or the AWS CLI modify-db-instance command.
In the License Included model, you don't need to purchase Oracle licenses separately; AWS holds the license for the Oracle database software.
In this model, if you have an active AWS Premium Support account, you contact AWS Premium Support for both Amazon RDS and Oracle Database service requests.
The License Included model is supported on Amazon RDS for the following Oracle database editions:
Oracle Database Standard Edition One (SE1)
Oracle Database Standard Edition Two (SE2)
Bring Your Own License (BYOL)
In the Bring Your Own License model, you can use your existing Oracle Database licenses to run Oracle deployments on Amazon RDS. You must have the appropriate Oracle Database license (with Software Update License and Support) for the DB instance class and Oracle Database edition you wish to run. You must also follow Oracle's policies for licensing Oracle Database software in the cloud computing environment. For more information on Oracle's licensing policy for Amazon EC2, see Licensing Oracle Software in the Cloud Computing Environment.
In this model, you continue to use your active Oracle support account, and you contact Oracle directly for Oracle Database service requests. If you have an active AWS Premium Support account, you can contact AWS Premium Support for Amazon RDS issues. Amazon Web Services and Oracle have a multi-vendor support process for cases which require assistance from both organizations.
The Bring Your Own License model is supported on Amazon RDS for the following Oracle database editions:
Oracle Database Enterprise Edition (EE)
Oracle Database Standard Edition (SE)
Oracle Database Standard Edition One (SE1)
Oracle Database Standard Edition Two (SE2)
Using OEM, APEX, TDE, and other options
Most Amazon RDS DB engines support option groups that allow you to select additional features for your DB instance. Oracle DB instances support several options, including OEM, TDE, APEX, and Native Network Encryption. For a complete list of supported Oracle options, see Options for Oracle DB Instances. For more information about working with option groups, see Working with Option Groups.