aws rds 加密
In the article, Recover Data in AWS RDS SQL Server, we explored the process of native backup and restoration for the AWS RDS SQL Server database. It involves the following steps:
在文章“ 在AWS RDS SQL Server中恢复数据”中 ,我们探讨了AWS RDS SQL Server数据库的本机备份和还原过程。 它涉及以下步骤:
- Take full database backup into S3 bucket 将完整的数据库备份到S3存储桶中
- Restore backup from S3 bucket in RDS instance 从RDS实例中的S3存储桶还原备份
Consider a scenario that your database contains customer personal data such as account number, credit card details, social security number. You do not want to expose personal identification data to everyone.
考虑一个场景,您的数据库包含客户个人数据,例如帐号,信用卡详细信息,社会保险号。 您不想向所有人公开个人标识数据。
You have given access to an S3 bucket to users in the organization to upload, download data. We took database backup as well in the same S3 bucket. Any user access to the S3 bucket can download the database backup file and restore it to retrieve the data. We cannot change the S3 bucket, and we want to secure the backup file. Do you know how to do it?
您已向组织中的用户授予了对S3存储桶的访问权限,以上传,下载数据。 我们也在同一S3存储桶中进行了数据库备份。 任何访问S3存储桶的用户都可以下载数据库备份文件,并将其还原以检索数据。 我们无法更改S3存储桶,我们想保护备份文件。 你知道怎么做吗?
In this article, let’s explore the process of securing the database backup file.
在本文中,让我们探讨保护数据库备份文件的过程。
先决条件 (Prerequisites)
You should have the following set up before proceeding with this article:
在继续本文之前,您应该进行以下设置:
Amazon RDS SQL Server实例 (Amazon RDS SQL Server instance)
I have myrdsinstance RDS SQL instance for this article in a us-east-1f availability zone. It is running the SQL Server Express edition.
我在us-east-1f可用区中有myrdsinstance RDS SQL实例。 它正在运行SQL Server Express版本。
S3斗 (S3 bucket)
You should have an S3 bucket to store the backup file. In this article, we use [rdstestsql] S3 bucket. Currently, it does not contain any files.
您应该有一个S3存储桶来存储备份文件。 在本文中,我们使用[rdstestsql] S3存储桶。 当前,它不包含任何文件。
Copy bucket ARN and store it in a notepad file.
复制存储桶ARN并将其存储在记事本文件中。
We will use the AWS Key Management Service (AWS KMS) in this article. Let’s take an overview of this.
我们将在本文中使用AWS Key Management Service(AWS KMS) 。 让我们对此进行概述。
AWS密钥管理服务(AWS KMS) (AWS Key Management Service (AWS KMS))
KMS is a service in AWS to create, delete and control keys to encrypt data stored in the S3 bucket. It provides the following benefits in AWS:
KMS是AWS中的一项服务,用于创建,删除和控制密钥以加密存储在S3存储桶中的数据。 它在AWS中提供了以下好处:
- It is a fully managed service from AWS. We can generate the keys, define user permissions, durability and security of the keys 它是AWS的完全托管服务。 我们可以生成密钥,定义用户权限,密钥的持久性和安全性
- AWS provides centralized management for the KMS. We can use KMS console to import, delete, rotate, manage the keys using both AWS console and CLI AWS为KMS提供集中管理。 我们可以使用AWS控制台和CLI使用KMS控制台导入,删除,旋转,管理密钥
- KMS integrates with the Cloudtrail and stores all API request to meet compliance requirement and auditing KMS与Cloudtrail集成并存储所有API请求,以满足合规性要求和审核
- We can use it to encrypt or decrypt data using AWS KMS keys 我们可以使用它通过AWS KMS密钥来加密或解密数据
- It is a low-cost service, and you do not require a commitment for a specific duration. You can start using it and pay only $1\month to store a key in AWS KMS 这是一项低成本服务,您不需要在特定期间内做出承诺。 您可以开始使用它,每月仅需支付$ 1即可将密钥存储在AWS KMS中
You can find key management service in the Security, Identity and Compliance section of services.
您可以在服务的“安全性,身份和合规性”部分中找到密钥管理服务。