Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Security in Amazon RDS

You can manage access to your Amazon Relational Database Service (Amazon RDS) resources and your databases on a DB instance. The method you use to manage access depends on what type of task the user needs to perform with Amazon RDS:

  • Run your DB instance in an Amazon Virtual Private Cloud (VPC) for the greatest possible network access control. For more information about creating a DB instance in a VPC, see Using Amazon RDS with Amazon Virtual Private Cloud (VPC).

  • Use AWS Identity and Access Management (IAM) policies to assign permissions that determine who is allowed to manage RDS resources. For example, you can use IAM to determine who is allowed to create, describe, modify, and delete DB instances, tag resources, or modify DB security groups. For information on setting up a IAM user, see Create an IAM User

  • Use security groups to control what IP addresses or EC2 instances can connect to your databases on a DB instance. When you first create a DB instance, its firewall prevents any database access except through rules specified by an associated security group.

  • Use Secure Socket Layer (SSL) connections with DB instances running the MySQL, Amazon Aurora, MariaDB, PostgreSQL, Oracle, or Microsoft SQL Server database engines; for more information on using SSL with a DB instance, see Using SSL to Encrypt a Connection to a DB Instance.

  • Use RDS encryption to secure your RDS instances and snapshots at rest. RDS encryption uses the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS instance. For more information, see Encrypting Amazon RDS Resources.

  • Use network encryption and transparent data encryption with Oracle DB instances; for more information, see Oracle Native Network Encryption and Oracle Transparent Data Encryption

  • Use the security features of your DB engine to control who can log in to the databases on a DB instance, just as you would if the database was on your local network.


You only have to configure security for your use cases; you do not have to configure security access for processes that Amazon RDS manages, such as creating backups, replicating data between a master and a Read Replica, or other processes.