Amazon RDS - AWS GovCloud (US)

Amazon RDS

Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.

How Amazon Relational Database Service Differs for AWS GovCloud (US)

  • RDS Proxy is not available.

  • Amazon RDS Performance Insights isn't available in the AWS GovCloud (US) Regions.

  • Creation of cross-Region read replicas from other AWS Regions to the AWS GovCloud (US) Regions or from AWS GovCloud (US) Regions to other AWS Regions isn't supported.

  • You can enable the replication of automated backups only on existing DB instances. You can't enable backup replication while creating a new DB instance.

  • Copying of DB snapshots from other AWS Regions to the AWS GovCloud (US) Regions or from AWS GovCloud (US) Regions to other AWS Regions isn't supported.

  • Oracle Management Agent versions 12.1 and 13.1 aren't available in the AWS GovCloud (US) Regions.

  • Intermediate SSL certificates must be used to connect to the AWS GovCloud (US) Regions using SSL. For more information related to Intermediate certificates, see Using SSL/TLS to Encrypt a Connection.

  • Instance types and engine versions might vary in the AWS GovCloud (US) Regions. To determine instance and engine availability, see the RDS Management Console or CLI tools.

Documentation for Amazon Relational Database Service

Amazon RDS documentation.

Export-Controlled Content

For AWS Services architected within the AWS GovCloud (US) Regions, the table below explains how certain components of data may leave the Regions in the normal course of the Service Offerings. The table can be used as a guide to help meet applicable customer compliance obligations.

Data in the following service attributes will not leave the AWS GovCloud (US ) Regions in the normal course of the Service Offerings

Data in the following service attributes may leave the AWS GovCloud (US ) Regions in the normal course of the Service Offerings

  • Amazon RDS master passwords are protected as export-controlled data.

  • All data stored and processed in Amazon RDS database tables can contain export-controlled data. You cannot transfer export-controlled data in and out of your Amazon RDS instance using the API or CLI. You must use database tools for data transfer of export-controlled data.

  • Amazon RDS metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon RDS instances except the master password.

  • Do not enter export-controlled data in the following fields:

    • Database instance identifier

    • Master user name

    • Database name

    • Database snapshot name

    • Database security group name

    • Database security group description

    • Database parameter group name

    • Database parameter group description

    • Option group name

    • Option group description

    • Database subnet group name

    • Database subnet group description

    • Event subscription name

    • Resource tags

If you are processing export-controlled data with Amazon RDS, follow these guidelines in order to maintain export compliance:

  • When you use the console or the AWS APIs, the only data field that is protected as export-controlled data is the Amazon RDS master password.

  • After you create your database, change the master password of your Amazon RDS instance by directly using the database client.

  • You can enter export-controlled data into any data fields by using your database client-side tools. Do not pass export-controlled data by using the web service APIs that are provided by Amazon RDS.

  • To secure export-controlled data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.

    • To prevent this type of attack and to maintain export compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see Network ACLs in the Amazon VPC User Guide.

  • For each database instance that contains export-controlled data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the database instance, especially when an Internet gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US) Regions or other export-controlled environments to export-controlled database instances.

If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For a list of endpoints, see Service Endpoints.