Amazon Relational Database Service (Amazon RDS)
The following list details the differences for using this service in the AWS GovCloud (US) region compared to other AWS regions:
In the AWS GovCloud (US) region, all Amazon RDS instances must be launched in an Amazon VPC.
DB event notifications via SMS are not supported in the AWS GovCloud (US) region.
For more information about Amazon RDS, see the Amazon Relational Database Service documentation.
The ITAR boundary defines where customers are allowed to store ITAR-regulated data for this service in the AWS GovCloud (US) region. You must comply with the boundaries in order to maintain ITAR compliance. If you do not have any ITAR-regulated data in the AWS GovCloud (US) region, this section does not apply to you. The following information identifies the ITAR boundary for this service:
ITAR-Regulated Data Permitted
ITAR-Regulated Data Not Permitted
If you are processing ITAR-regulated data with Amazon RDS, follow these guidelines in order to maintain ITAR compliance:
When you use the console or the AWS APIs, the only data field that is protected as ITAR-regulated data is the Amazon RDS Master Password.
After you create your database, change the master password of your Amazon RDS instance by directly using the database client.
You can enter ITAR-regulated data into any data fields by using your database client-side tools. Do not pass ITAR-regulated data by using the web service APIs that are provided by Amazon RDS.
To secure ITAR-regulated data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.
For example, if you're running an application server on an Amazon EC2 instance that connects to an Amazon RDS database instance, a non-U.S. person could reconfigure the DNS to redirect ITAR-regulated data out of the VPC and into any server that might be outside of the AWS GovCloud (US) region.
To prevent this type of attack and to maintain ITAR compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see Network ACLs in the Amazon VPC User Guide.
For each database instance that contains ITAR-regulated data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the database instance, especially when an Internet gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US) region or other ITAR-controlled environments to ITAR-controlled database instances.
If you are processing ITAR-regulated data with this service, use the SSL (HTTPS) endpoint to maintain ITAR compliance. For a list of endpoints, see AWS GovCloud (US) Endpoints.