Security optimization

Cloud security at AWS is the highest priority, and there are many AWS security features available to you. These features can be combined with the built-in security features of Microsoft SQL Server to satisfy even the most stringent requirements and expectations.

Amazon VPC

There are many features in Amazon VPC that can help you secure your data in transit. You can use security groups to restrict access to your EC2 instances and allow only certain endpoints and protocols. You can also use network access control lists to deny known sources of threats.

A best practice is to deploy your SQL Server instances in private subnets inside a VPC, and only allow access to the internet through a VPC network address translation (NAT) gateway, or a custom NAT instance.

Encryption at rest

If you are using EBS volumes to store your SQL Server database files, you have the option to enable block-level encryption. Amazon EBS transparently handles encryption and decryption for you. This is available through a simple check box, with no further action necessary. Amazon FSx for Windows File Server also includes built-in encryption at rest. Both EBS and Amazon FSx are integrated with AWS Key Management Service (AWS KMS) for managing encryption keys. This means, through AWS KMS, you can either use keys provided by AWS, or bring your own keys. For more information, see the AWS KMS documentation.

At the database level, you can use SQL Server Transparent Data Encryption (TDE), a feature available in Microsoft SQL Server that provides transparent encryption of your data at rest. TDE is available on Amazon RDS for SQL Server, and you can also enable it on your SQL Server workloads on EC2 instances.

Previously, TDE was only available on SQL Server Enterprise Edition. However, SQL Server 2019 has also made it available on Standard Edition. If you want to have encryption-at-rest for your database files on Standard Edition on an earlier version of SQL Server, you can use EBS encryption instead.

It’s important to understand the tradeoffs and differences between EBS encryption and TDE. EBS encryption is done at the block level, that is, data is encrypted when it is stored and decrypted when it is retrieved. However, with TDE, the encryption is done at the file level. Database files are encrypted, and can only be decrypted using the corresponding certificate.

For example, this means if you use EBS encryption without TDE and copy your database data or log files from your EC2 instance to an S3 bucket that does not have encryption enabled, the files will not be encrypted. Furthermore, if someone gains access to your EC2 instance, database files will be exposed instantly.

However, there is no performance penalty when using EBS encryption, whereas enabling TDE adds additional drag on your server resources.

Encryption in transit

As a best practice, you can enable encryption in transit for your SQL Server workloads using the SSL/TLS protocol. Microsoft SQL Server supports encrypted connections, and SQL Server workloads in AWS are no exception. When using SMB protocol for SQL Server storage layer, Amazon FSx automatically encrypts all data in transit using SMB encryption as you access your file system, without the need for you to modify SQL Server or other applications’ configurations.

Encryption in use

Microsoft SQL Server offers Always Encrypted to protect sensitive data using client certificates. This provides a separation between those who own the data and can view it, and those who manage the data but should have no access. This feature is also available on both Amazon RDS for SQL Server, as well as SQL Server workloads on Amazon EC2.

AWS Key Management Service (AWS KMS)

AWS KMS is a fully managed service to create and store encryption keys. You can use KMS-generated keys or bring your own keys. In either case, keys never leave AWS KMS and are protected from any unauthorized access. You can use KMS keys to encrypt your SQL Server backup files when you store them on Amazon S3, Amazon S3 Glacier, or any other storage service. Amazon EBS encryption also integrates with AWS KMS.

Security patches

One of the common security requirements is the regular deployment of security patches and updates. In AWS, you can use AWS Systems Manager Patch Manager to automate this process. Note that use cases for Patch Manager are not restricted to security patches. For more details, refer to the Patch management section of this whitepaper.