Infrastructure at your Service

Daniel Westermann

PostgreSQL on Amazon RDS – Securing the beast

In the last post I looked at how to bring up a PostgreSQL instance in the Amazon cloud. In this post I’ll look into how to restrict access to this instance to specific IP addresses to strengthen security. If you think about moving things to the cloud you for sure want to make the stuff accessible to restricted people or systems only.

On the left side there is a “Security Groups” menu which sounds like what we want:

az20

Seems I have to go to the EC2 console, so lets do that:
az21

When a PostgreSQL instance is created a default security group is created with allows the machine with my local IP address to access the instance. No other clients are accepted by default:

az31

If I adjust this to something else I am no longer able to connect:
az32

The connection attempt just hangs…
az33

… and timeouts after a while:
az36

In fact these are firewall rules and you can choose among various protocols and types:
az34

For the “source” there is the choice between a custom ip address, my own ip address and “hey, I don’t care”, which is “Anyone”:
az35

The same can be down for outbound connections:
az37

Quite easy and powerful and of course you can create new security groups:
az38

When there are discussions about putting things into the cloud security is always a topic and it seems that Amazon did a good job here. At least for these simple tests I could prevent access to my instance very easy and fast and I am able to adjust the security settings to my needs.

In the next post I’ll look at how I can configure my PostgreSQL instance. Only when I am able to adjust the configuration for the workloads I expect the offering is really usable. Stay tuned …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Daniel Westermann
Daniel Westermann

Principal Consultant & Technology Leader Open Infrastructure