Chanci Turner

Amazon Onboarding with Learning Manager Chanci Turner

by

The Story of Chanci Turner
in

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

With the recent announcement that Amazon Relational Database Service (Amazon RDS) for Oracle now integrates with the Amazon Elastic File System (Amazon EFS), users can conveniently store temporary files such as Oracle Data Pump export and import files directly on the Amazon EFS file system. This integration also facilitates file sharing between Amazon RDS for Oracle DB instances and application instances, thus catering to diverse architectural needs.

In the initial post of this two-part series, we highlighted the advantages of using Amazon RDS for Oracle alongside Amazon EFS, providing comprehensive setup instructions and exploring various use cases. This second installment focuses on the critical steps to bolster access security for Amazon EFS through file system policy and enforce in-transit encryption.

Enhancing Security for File System Access and Network Traffic

The integration of Amazon EFS with Amazon RDS for Oracle operates under the default (empty) Amazon EFS file system policy. This default setup does not authenticate users via AWS Identity and Access Management (IAM), allowing any anonymous client with access to the mount target to have full access. This policy is active unless a user-defined file system policy is implemented.

To fortify access for all clients, including Amazon RDS for Oracle, it is essential to configure IAM permissions through a resource policy. Upon a client attempting to connect to the file system, Amazon EFS evaluates this IAM resource policy, known as a file system policy, along with any identity-based IAM policies to determine the appropriate permissions.

Additionally, by utilizing predefined condition keys within the policy, you can mandate the use of encryption in transit through Transport Layer Security 1.2 (TLS) with an industry-standard AES-256 cipher to ensure secure communication between the file system and clients.

In the upcoming sections, we will guide you through the integration process of Amazon EFS with Amazon RDS for Oracle, utilizing a file system policy that regulates access for specific clients and enforces TLS encryption.

Prerequisites

Before proceeding, please ensure you have the following prerequisites:

  • An Amazon RDS for Oracle database version 19c July 2022 Release Update or later with Enterprise or Standard Edition 2 (SE2). For detailed guidance, refer to the documentation on Creating an Amazon RDS DB instance.
  • An Amazon Elastic Compute Cloud (Amazon EC2) instance running Amazon Linux 2 AMI or a compatible Linux distribution listed in AWS Documentation that supports the Amazon EFS mount helper.
  • An AWS Key Management Service (AWS KMS) key for encrypting Amazon EFS data at rest. If you have an existing key used for RDS encryption, it can be reused.

Please note that this solution involves the setup and utilization of AWS resources, which may incur costs on your account. For further details, check out AWS Pricing.

Creating IAM Roles for Amazon RDS and Amazon EC2

Your initial step is to establish IAM roles for Amazon RDS and Amazon EC2.

  1. In the IAM console, select “Roles” from the left panel and click “Create role.”
  2. Choose “AWS service” as the Trusted entity type.
  3. Select “EC2” under Use case and proceed to the next step.
  4. Skip adding any permissions or policies, then proceed.
  5. Enter a Role name and Description, then click “Create role.”

Next, create a role for Amazon RDS:

  1. Again, select “AWS service” as the Trusted entity type.
  2. This time, choose “RDS – Add Role to Database” under Use case and move to the next step.
  3. Skip adding permissions or policies, then proceed.
  4. Provide a Role name and Description for the Amazon RDS role and create the role.

Creating an Amazon EFS File System

Now, you will create an Amazon EFS file system along with mount targets.

  1. In the Amazon EFS console, click on “Create file system.”
  2. Assign a Name for your EFS.
  3. Select the relevant Virtual Private Cloud (VPC).
  4. Set the Storage class to Standard and click “Customize.”
  5. Check the box to enable encryption of data at rest and select the KMS key from the dropdown before proceeding.
  6. Choose the subnet for the file system.
  7. Select the security groups associated with your EC2 instance and RDS database as mentioned earlier. Click Next.
  8. You can skip adding a file system policy at this stage. Click Next and then “Create file system.”

Preparing and Adding the File System Policy

In this section, you will create and attach a file system policy to the Amazon EFS file system to restrict client access and enforce encryption in transit.

In the policy example below, substitute the placeholders for Region, account ID, and file system ID:

{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam:::role/efs-integ-role-for-ec2",
                    "arn:aws:iam:::role/efs-integ-role-for-rds"
                ]
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess"
            ],
            "Resource":"arn:aws:elasticfilesystem:::file-system/"
        },
        {
            "Sid": "ExampleStatement02",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

In the Amazon EFS console, locate the created file system, select the “File system policy” tab, and choose “Edit.”

Next, utilize the Policy editor (JSON) panel on the right side to paste the policy you prepared in the previous step, then click “Save.”

Updating Security Group Rules

In this step, you will modify the security group rules to permit access between the Amazon EFS file system, Amazon EC2 instance, and Amazon RDS for Oracle instance.

  1. Access the Amazon EC2 console and click on “Security Groups” from the left panel.
  2. Choose the security group linked to the Amazon EC2 instance. Edit the inbound rules to add an inbound rule for NFS, using the same source for the security group name.
  3. Similarly, select the security group for the Amazon RDS instance and add the inbound rule for NFS.

Both the Amazon EC2 and Amazon RDS security groups will maintain the default outbound rule.

Adding IAM Role to Amazon EC2 Instance

Finally, you will attach the IAM role created earlier for EC2 to your Amazon EC2 instance.

  1. In the Amazon EC2 console, select your instance.
  2. From the Actions menu, choose “Security,” then “Modify IAM role” to proceed.

By following these detailed steps, you can ensure secure integration between Amazon RDS for Oracle and Amazon EFS, enhancing both access control and encryption.

For more insights on job interviews, check out this helpful article. Additionally, SHRM provides valuable information on workplace topics.

Related Topics:

Chanci Turner