chanciturnervgt2

Integrating Amazon RDS for Oracle with Amazon EFS – Part 2 – Enhancing Access with EFS File System Policy and Enforcing In-Transit Encryption

by

VGT2 Las Vegas
in

Integrating Amazon RDS for Oracle with Amazon EFS – Part 2 – Enhancing Access with EFS File System Policy and Enforcing In-Transit EncryptionLearn About Amazon VGT2 Learning Manager Chanci Turner

As part of the ongoing enhancements to Amazon Relational Database Service (RDS) for Oracle, we’re excited to share that it now integrates seamlessly with Amazon Elastic File System (EFS). This integration allows you to store temporary files such as Oracle Data Pump export and import files directly on the Amazon EFS file system, enabling efficient access. Moreover, you can utilize this integration to share a file system between your Amazon RDS for Oracle DB instances and application instances, aligning with your architectural requirements.

In the earlier post of this two-part series, we highlighted the advantages of utilizing Amazon RDS for Oracle in conjunction with Amazon EFS, provided comprehensive setup guidelines, and discussed various use cases. In this segment, we will delve into the critical aspects of reinforcing Amazon EFS access through file system policies and enforcing encryption for data in transit, along with step-by-step implementation procedures.

Securing File System Access and Network Traffic

The integration of Amazon EFS with Amazon RDS for Oracle initially operates under the default (empty) Amazon EFS file system policy. This default policy does not utilize AWS Identity and Access Management (IAM) for authentication, instead permitting unrestricted access to any anonymous client capable of connecting to the file system via a mount target. This default setting is applied whenever a user-defined file system policy is absent, including during the creation of the file system.

To bolster access to your Amazon EFS file system for all clients, including Amazon RDS for Oracle, you can configure IAM permissions using a resource policy. When a client attempts to connect to the file system, Amazon EFS assesses the IAM resource policy—referred to as a file system policy—together with any identity-based IAM policies to determine the suitable access permissions.

Additionally, by incorporating predefined condition keys within the policy, you can mandate encryption in transit using Transport Layer Security (TLS) 1.2, which employs an industry-standard AES-256 cipher to safeguard data traffic between the file system and its clients.

In the subsequent sections, we will guide you through the process of integrating the Amazon EFS file system with Amazon RDS for Oracle using a file system policy that regulates access for specific clients while enforcing TLS encryption.

Prerequisites

Before we proceed, please ensure you have the following prerequisites in place:

  • An Amazon RDS for Oracle database version 19c July 2022 Release Update or later, utilizing either the Enterprise or Standard Edition 2 (SE2). See the guide on Creating an Amazon RDS DB instance for details.
  • An Amazon Elastic Compute Cloud (Amazon EC2) instance running Amazon Linux 2 AMI or any other Linux distribution that supports the Amazon EFS mount helper, as outlined in AWS Documentation.
  • An AWS Key Management Service (AWS KMS) key for encrypting Amazon EFS data at rest. You may reuse an existing key used for RDS encryption if available.

Please be aware that this solution involves the setup and utilization of AWS resources, which may incur charges on your account. Refer to AWS Pricing for additional information.

Creating IAM Roles for Amazon RDS and Amazon EC2

Begin by creating IAM roles for Amazon RDS and Amazon EC2:

  1. Navigate to the IAM console, select “Roles” in the left panel, and click “Create role.”
  2. Choose “AWS service” as the trusted entity type.
  3. Select “EC2” under use case and proceed to the next step.
  4. Leave permissions and policies unassigned and continue.
  5. Enter a suitable role name and description, then click “Create role.”

Repeat these steps to create a role for Amazon RDS, selecting “RDS – Add Role to Database” in the use case section.

Creating an Amazon EFS File System

Next, create your Amazon EFS file system and its associated mount targets:

  1. On the Amazon EFS console, click “Create file system.”
  2. Input a name for the EFS.
  3. Choose the appropriate Virtual Private Cloud (VPC).
  4. Set Storage class to Standard and select “Customize.”
  5. Enable encryption for data at rest and select the KMS key from the dropdown, then click “Next.”
  6. Choose the subnet for the file system and select the security groups linked to your EC2 instance and RDS database. Click “Next.”
  7. Skip adding a file system policy at this stage, then click “Next” and “Create file system.”

Preparing and Adding the File System Policy

In this section, you will prepare a file system policy that limits client access and enforces encryption in transit. Below is an example policy; ensure you replace the placeholders with your actual Region, account ID, and file system ID:

{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam:::role/efs-integ-role-for-ec2",
                    "arn:aws:iam:::role/efs-integ-role-for-rds"
                ]
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess"
            ],
            "Resource": "arn:aws:elasticfilesystem::::file-system/"
        },
        {
            "Sid": "ExampleStatement02",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

In the Amazon EFS console, select the previously created file system, go to the File system policy tab, click “Edit,” and paste the prepared policy in the JSON panel before saving it.

Updating Security Group Rules

This section involves updating security group rules to facilitate access between Amazon EFS, the Amazon EC2 instance, and the Amazon RDS for Oracle instance.

  1. From the Amazon EC2 console, access “Security Groups” from the left panel, select the security group linked to your EC2 instance, and edit the inbound rules to include an NFS inbound rule with the same source as the security group name.
  2. Similarly, select the security group for the Amazon RDS instance and edit the inbound rules to add the NFS rule.

Both the Amazon EC2 and Amazon RDS security groups should retain the default outbound rule.

Adding IAM Role to Amazon EC2 Instance

Lastly, you will assign the IAM role created earlier for EC2 to your Amazon EC2 instance:

  1. In the Amazon EC2 console, select your EC2 instance.
  2. From the Actions menu, navigate to “Security,” then “Modify IAM Role.”

For further insights into navigating your career, consider checking out this blog post that discusses how to ask for a raise. Additionally, for information on understanding your benefits package, SHRM is an authority on this topic. For an excellent resource on workplace safety and training at Amazon, visit Amazon Fulfillment Center Safety and Training.

SEO Metadata

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *