Security - Oracle Database on AWS


When you deploy systems on the AWS Cloud, security responsibilities are shared between you and AWS. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, you assume responsibility and management of the guest operating system (including updates and security patches), other associated application software such as Oracle Database and Oracle Grid Infrastructure, as well as the configuration of the AWS-provided security group firewall. For more information about security on AWS, visit the AWS Security Center.

Network Security

The default network security setup of this solution follows AWS security best practices. The provisioned Oracle Database instances are deployed in private subnets and can only be accessed in three ways:

  • By connecting to the bastion host instance by using an SSH terminal.

  • From AWS resources (such as EC2, RDS, or other instances) that you might have in the OracleServerAccessSecurityGroup security group, or that you might launch using the security group. You may include your application instance in this security group.

  • By including new rules in OracleServerSecurityGroup to allow access to your database from a known IP block CIDR; for example, you might add an inbound rule to enable the VLAN in your data center to connect through a VPN or AWS Direct Connect.

	            Adding inbound rules to your security group

Figure 12: Adding inbound rules to your security group

OS Security

To gain root access to your instances you may use ec2-user or oracle user, and then sudo to root.

You have to keep the Amazon EC2 PEM key you are using secure in your environment. Also, keep in mind that AWS doesn’t store your keys, so if you lose your key, you may not be able to access your instances.

Security Groups

A security group acts as a firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time. The new rules are automatically applied to all instances that are associated with the security group.

This Quick Start creates three security groups: OracleServerAccessSecurityGroup, OracleServerSecurityGroup, and OracleServersSecurityGroup. After the Quick Start deployment, you are responsible for maintaining these security groups and including or excluding rules.

  • OracleServerSecurityGroup is used to grant the bastion hosts access to port 22 of the Oracle instances.

  • OracleServersSecurityGroup is used only for communications between database instances: primary and standby instances on database ports, SSH, and NFS ports.

  • OracleServerAccessSecurityGroup gives EC2 instances access to your database on the port you set up for database listeners, and on port 5500 for Oracle Enterprise Manager.