Lets GO And Encrypt: An AWS RDS Compliance Odyssey

TLDR

I developed a GO script to audit AWS RDS instances and clusters, analyzing their encryption status to ensure compliance with data encryption controls. This article goes over the code, tools used, how others can contribute, and challenges I faced. Github can be found here.

Intro

The goal of the project

My goal for this project was to engineer a solution to audit the encryption status of AWS RDS Database Instances and Clusters for both encryption-at-rest and encryption-in-transit. This would assist with determining whether or not data encryption controls are working as intended.

Why?

Encryption plays a pivotal role in safeguarding sensitive information by making it challenging for unauthorized entities to access or misuse data. This practice aligns with requirements that mandate the use of encryption to protect specific types of crucial data.

Auditing encryption controls involves stress-testing the effectiveness of implemented measures, assessing risks, and understanding the potential impact on the business. Regular audits serve as proactive measures, identifying and rectifying issues before they escalate. They contribute to the continuous improvement of data protection strategies over time. By demonstrating a commitment to robust encryption practices, organizations not only adhere to data encryption standards but also instill trust among customers and partners, showcasing a dedication to keeping their information secure.

What you'll learn from this!

You'll learn more than just automating the audit of AWS RDS Database encryption statuses. Here's what's in store for you:

1. AWS SDK in Go: We'll go into the intricacies of the AWS SDK and learn how to leverage it effectively in GoLang. This knowledge is crucial not just for this project but for any future work involving AWS services.

2. Understanding the Nuances of AWS RDS: Discover the critical differences between AWS RDS instances and clusters. This insight is vital for anyone looking to manage AWS RDS resources efficiently.

3. Engine Types and Their Unique Parameters: Each RDS engine type has its peculiarities. We'll explore these variations and understand how they influence your approach to encryption analysis.

4. Practical Application of GRC Principles: Gain insights into the practical application of Governance, Risk Management, and Compliance (GRC) principles in a technical setting, an essential skill set for any security compliance engineer.

Code Overview

Before diving into the code overview, you can reference and use the full code available on GitHub!

The GitHub has an-depth README.md file for the code, this is meant to assist users with the setup and usage of the tool. I've also added extensive comments throughout the code itself to assist users with understanding the logic used.

Foundation for Understanding

To fully grasp the solution and methodology I've developed, it's important to have a solid understanding of certain AWS RDS concepts. This knowledge will help explain how I approached the solution, making the technical details more accessible and meaningful.

Engine Types

AWS RDS supports various database engines like MySQL, PostgreSQL, Aurora, and others. Each engine type has its unique characteristics, operational features, and parameters. Knowing these engine types helps in understanding how they handle encryption and security settings differently.

Understanding AWS RDS Instances vs. Clusters

• Instances: An instance in AWS RDS is a single database server, similar to an independent server in a traditional database setup. For example, you might have an RDS instance running with an engine type such as MySQL or PostgreSQL, handling all the database tasks like storing data and executing queries for a specific application.

• Clusters: Clusters in AWS RDS involve a group of instances working together, often used for more complex configurations. This is particularly common with databases like Amazon Aurora, where you might have a primary instance handling all the write operations, and several secondary instances (read replicas) to distribute read queries. Clusters are key for scenarios requiring enhanced availability, scalability, and performance.

Understanding this distinction is crucial because the way you audit encryption varies significantly between standalone instances and clustered configurations.

Exploring Parameters and Parameter Groups

Parameters in AWS RDS are settings that dictate the behavior of database engines. They cover aspects like performance, resource allocation, and security. Each engine type has its own set of parameters, which can be managed through parameter groups. Understanding these can be key in knowing how to audit settings for optimal encryption and security compliance.

Putting it together

Encryption-At-Storage:

To identify the parameter that dictates encryption-at-storage, involves checking whether the StorageEncrypted attribute is set to true. This attribute is available in the RDS instance and cluster descriptions of all engine types and is crucial for ensuring that data at rest is adequately encrypted.

Encryption-In-Transit:

The auditing of encryption-in-transit within AWS RDS presents a more nuanced challenge, primarily due to the varying parameters based on the database configuration - whether you're dealing with instances or clusters. The parameter that indicates the status of encryption-in-transit changes, which requires a tailored approach depending on the specific setup.

• In the Case of Instances: For standalone database instances, such as those running the engine type MySQL or PostgreSQL, the parameter for Encryption-In-Transit is typically found within the database's specific parameter group. These parameters are different for each engine type. For instance (no pun intended), in MySQL, you might look for the require_secure_transport parameter, while in PostgreSQL, the relevant parameter would be rds.force_ssl.

• For Clusters: When dealing with clusters with the engine type Aurora MySQL, Aurora PostgresSQL, or Neptune, the approach differs. In these setups, Encryption-In-Transit is often managed at the cluster level rather than individually for each instance. Therefore, you need to inspect the cluster's parameter group. In the case of Aurora MySQL, the parameter would be require_secure_transport at the cluster parameter group level, which dictates the encryption for all instances within that cluster. You would not find this in the instance's parameter group since encryption-in-transit is handled at the cluster level in this case. Similarly, Aurora PostgresSQL's relevant parameter would be rds.force_ssl. However, clusters with the engine type Neptune would not have a parameter associated with encryption in transit since it is automatically enabled for all connections to an Amazon Neptune database.

The complexity lies in identifying and correctly interpreting these parameters across different engine types and configurations. This requires not only a thorough understanding of the AWS RDS architecture, but also a keen eye for the nuances of each engine's parameter setup. By carefully examining these parameters through the AWS SDK, you can determine the encryption status and ensure compliance with your security requirements.

What tools did I use to accomplish this and why?

In my journey to automate the audit of AWS RDS Encryption statuses, I relied on a specific set of tools, each chosen for their unique strengths and compatibility with the task at hand. Here's a breakdown of the tools I used and the rationale behind each choice:

GO (Golang):

• GO is known for its efficiency and simplicity in handling concurrent tasks, which is crucial for processing multiple AWS RDS instances and clusters simultaneously. Its robust standard library and powerful features for network programming and HTTP requests made it an ideal choice for interacting with the AWS SDK. Also, I just wanted to practice some GO....

AWS SDK:

• This SDK provides a seamless way to integrate GO applications with AWS services. It allowed me to programmatically access AWS RDS, making it easier to retrieve information about database instances and clusters, and to interact with other AWS services if needed.

CSV Package:

• To efficiently handle the output of the audit, I used GO's CSV package. It enabled me to organize the extracted data into a structured format, making it easier to analyze and share the findings.

Amazon RDS Service:

• The focus of this project was to audit RDS instances and clusters. Amazon RDS is a managed relational database service that simplifies database setup, operation, and scaling, making it a key component in this audit tool.

ChatGPT:

• AI language model developed by OpenAI. Used for debugging purposes in this case and understanding AWS RDS architecture.

Key Functions

The code for auditing AWS RDS instances and clusters incorporates several key functions, each designed to perform specific tasks crucial to the auditing process. Here's an overview of these functions and their roles:

main:

• Serves as the entry point of the program. It handles user inputs for AWS credentials and preferences, initializes the AWS session, and orchestrates the overall auditing process based on the selected scan type (DB Instances, DB Clusters, or Both).

promptUser:

• This utility function prompts the user for input and returns the entered string. It's used for gathering necessary information like AWS Access Key, Secret Access Key, Session Token, AWS Region, and the type of scan the user wishes to perform.

scanDBInstances and scanDBClusters:

• Scans and retrieves a list of all DB Instances/clusters in the specified AWS region. These functions are integral for auditing the encryption status of individual RDS instances/clusters.

writeToCSV:

• This function takes the scanned data (either instances or clusters) and writes it into a CSV file. It's a crucial component for organizing the audit findings in a structured, readable format, enabling easier analysis and reporting. This function also checks the encryption-at-storage settings regardless of a cluster's/instance's engine type.

checkClusterEncryptionInTransit and checkInstanceEncryptionInTransit:

• Specifically designed for clusters and instances respectively, these functions check the encryption in transit settings based on the cluster's/instance's parameter group and engine type.

joinStrings:

• Provides additional utility support, such as concatenating string pointers into a single string, which is useful in various parts of the code, particularly when dealing with AWS SDK responses.

By developing a Go script to audit AWS RDS instances and clusters, I've learned the nuances of encryption-at-rest and encryption-in-transit and how to ensure data security in a cloud environment. This journey is more than just a personal project, but about improving our collective understanding of AWS services and contributing to the robustness of GRC practices through technical means.

Current Issues And How You Can Contribute

While the AWS RDS encryption audit tool I've developed is effective in its current scope, there are few limitations. Here's a closer look at these limitations and how you can contribute to enhancing the tool:

Limitations of the Current Tool

Specific Engine and Configuration Focus:

The tool is currently optimized for the following RDS engines when scanning encryption-in-transit:

• MySQL

• PostgresSQL

• Aurora MySQL

• Aurora PostgresSQL

• Neptune

Each engine has its unique parameters for encryption-in-transit. This means the current set up may not fully support or accurately interpret configurations from other engines such as Oracle or Microsoft SQL Server. However, I have set it up accordingly to leave room for scalability!

Throttling Issues:

When the tool executes the function checkClusterEncryptionInTransit or checkInstanceEncryptionInTransit, it makes multiple calls to parameter groups (which may contain multiple pages of information for just one instance or cluster). AWS imposes rate limits on these calls to manage load on their systems. If the tool exceeds these rate limits, AWS throttles the requests, leading to delays or failures in retrieving data.

To prevent this I added a line of code to the aforementioned functions to wait 50 milliseconds before executing. Unfortunately, at the cost of preventing errors, I sacrifice speed.

How You Can Contribute

Given these limitations, contributions that expand the tool's scope and adaptability would be highly beneficial:

1. Dynamic Parameter Handling: Improving the tool to dynamically identify and interpret a wider range of encryption-in-transit-related parameters across different engines would make the auditing process more robust.

2. Throttling Error Handling: Enhancements in the logic for exponential backoff can significantly improve how the tool handles retries, making it more resilient to AWS throttling without sacrificing the performance of the code.

3. Feedback and Code Contributions: Contributions in the form of code enhancements, testing in diverse AWS environments, bug reports, and suggestions for functionality improvements are invaluable. This includes adding or refining logic in the key functions to address uncovered scenarios.

Your contributions are crucial in evolving this tool to cover a broader range of AWS RDS scenarios. Whether through code contributions, testing, or feedback, your input can help in creating a more versatile and effective auditing tool for AWS RDS encryption status analysis.

Want More Like This?

Check out my other article on Github Change Management Control compliance!