Gain in-depth knowledge for passing your exam with Exam-Labs AWS Certified Database - Specialty certification video training course. The most trusted and reliable name for studying and passing with VCE files which include Amazon AWS Certified Database - Specialty practice test questions and answers, study guide and exam practice test questions. Unlike any other AWS Certified Database - Specialty video training course for your certification exam.

Amazon RDS and Aurora

6. RDS - Hands on

In this hands-on, Let's create our first database in RDS. So here I am in the RDS console in AWS, and you can use this CreateDatabase button here to create your database. Alright, so you have different options here. You can use the Easy Create option or the Standard Create. We're going to go with the standard Create. So you will see most of the options. Then you choose the engine type. Here, we're going to talk about Aurora a little later. So you can choose any of the engines available here. I'm going to choose my sequel. And then you can select the version; you can select any version you want. I'll leave it at the default value. Then here you can choose one of the templates, whether you want to create this database for production use, development testing, or the free tier. Okay, so what I'm going to do is just create a free tier database. So some of the options are not available on the free tier. For example, you cannot create a multi-AZinstance, but that is fine for this demonstration. All right, so here, then, you can provide a database name. So I'll leave it at that. You provide a master username and password. Just type in some passwords and repeat typing. And then you choose the instance type. So with the free tier, you can only choose the possible instances. So you can choose any of them. I'm just going to leave it at whatever the default is. And then you can choose the storage type. You can choose general-purpose SSD. Or you can choose Provision I, so I'll leave it at General Purpose SSD. This is just a demo, and you can choose the allocated storage. And here is where you can enable storage auto-scaling and set the maximum storage threshold for your auto scaling.So this will set the maximum limit for your auto scaling.All right, then under availability and durability, you can choose multi-AC deployment. So if you choose to create a standby instance, then what the audience will do is it will create a standby instance in another availability zone, and we're going to talk about this later in the course. So if you choose a multi-AC deployment, whenever there is an outage or if your primary instance goes down, the standby instance can take over. Right? Then here under the connectivity options, you choose the VPC where you want to place your instance, and you can add additional connectivity information. Just like you can make your instance publicly available if you want to, if you want to connect it from your computer, you can choose the option to make it publicly available. Ideally, we may not want to make it publicly accessible, but since this is just a demo and we want to make sure that we are able to connect to this instance from our computer, we're going to set this option to be publicly accessible. In a real scenario, you would set this option to "private" and place your instance into a private subnet, all right? And under the VPC security group, you can either choose an existing security group or create a new one. In either case, make sure that your security group allows inbound connections on port 3306, which is the port on which the MySQL database runs. Okay? So I'm going to leave it to the default security group, and in my case, the default security group does provide inbound connections on the 3364. and you can check this in your AWS account using the VPC console. Or if you're not sure, you can simply create a new security group and give it a name, and it will automatically create an appropriate security group for you. All right, I'm going to leave it to default as my default security group here allows inbound connections on the port. All right, you can choose the availability zone preference, and the database port generally is 3306 for my sequel instances. Then under database authentication, you can choose different options here like password authentication or IMDb authentication, and so on. We're going to talk about these options later in the course, and then we have some additional configuration that you can do, like place an initial database name. For example, if I say "My database," then Audius is going to create an initial database for our use. And this is not mandatory. You can create any number of databases later by connecting to your database. All right, then you can enable automatic backups here, and by default the backup retention period is seven days. You have a range of options ranging from zero to approximately 35 days. And if you choose "zero," that means you are in effect disabling the backup service. All right, so I'm going to leave it at the default, then under monitoring, you can enable enhanced monitoring here. Later in the course, we're going to talk about enhanced later in the course.Then in the log export section, here are different logs that are available with my SQL engine. Because we are creating a MySQL database, these are the logs that are available. If you select the options here, then these logs will be exported to Cloud Watch locks, right? And this is an optional feature. If you want the logs to be accessible from Cloud Watch locks, then you should select these options. All right, and these lock types will be different for each database engine. And then, right here, an im role will be created for you to publish logs to Cloud Watch locks, all right? And under maintenance, you can enable auto-minor version upgrades. If there are any minor versions, your database will be automatically upgraded during the maintenance window. And you can choose a specific maintenance window here, or you can let AWS decide when to do the upgrade. If you select a window, you can specify a 30 minute window here, or you can specify a larger window if you like. Generally, you do specify at least a 30-minute window; otherwise, you can just select "no preference" and then you have the option for deletion protection. If you enable the deletion protection, then you will not be able to delete your database. So you have to first modify the database and remove the deletion protection, and only then will you be able to delete the database. I'm going to leave it at the default value, and that's about it. You can go ahead and create your instance, and since this is in the free tier, there won't be any charges associated with this, but if you choose a non-free tier option, then you will see an estimated price here. So that's all about how you configure the database and how we create the database. And these options for creating the database in RDS are more or less similar. Irrespective of the database engine, there are slight variations, but more or less, the process is similar. So simply hit the Create Database button to create a database. This is going to take a while, so I'm going to pause the video here, and I'll come back once the database is ready. Alright, so our instance is available now, so we can go and review the configuration. So you can see that the end point is displayed here and the port is displayed here. So you can use this information to connect to your database instance. All right? And if you go down, you can see all the different options available. And if you go on the configuration screen or the configuration tab, you can see different configurations. So here you can see that the default option group has been applied to the instance and that the default parameter group has been applied to the instance. So let's go into the parameter group, and here you can see the configuration. Now if you want to change this configuration, what you have to do is go into the parameter groups and create a new parameter group. All right? So choose the engine type that is selected for us. Okay, now my parameter group is available here, and you can change any of the options here, wherever you want, by saying my parameter group and giving it a description, my.PG for example. And what you have to do to add it to your database is to go into your database. Click on Modify, and then you can change the parameter group from MySQL default to the parameter group that you've read, and then you modify the instance. Right. You continue, and here you can choose whether you want to apply it immediately or apply it during the next scheduled maintenance window. All right, so I'm not going to do this. I'm just going to cancel and back out. And now let's look at the option groups. Okay, so you go into option groups, and you can see that this default option group is created for us. You can also navigate it from here. So if you go on to the configuration tab, you can click through to the option group, and currently the option group is the default option group. So you can see that it is empty, there are no options, and you cannot add any options to the default group. If you want to add options, what you do is go to the option groups and create an option group. Okay? So you can say "my SQL option group"—okay, "MySQL OG"—and it will choose your engine. So it's going to be my sequel, and you can choose the engine—a 5.7 in our case. So simply hit "Create." So here we have the default option group. All right, here you can actually go ahead and modify. The way you do it is you select your option group, and you can choose the option to add options, right? So here, you can add different options. There are two options available with the MySQLoptions group: MCAST for caching and the Maradb audit plugin for auditing your database activity. You can just choose one of the options, configure your settings as you need, and simply add the option to your option group. So now if you navigate to your option group, you can see different parameters and modify them using the same process that we saw. So you simply select and choose the "modify" option. And now you can go ahead and modify the different parameters that are required for the audit plugin to work. Okay, so once you've created your option group, then you can go into your database and follow the same process. So you could click on the modified instance option, and then under the option group settings, you can simply choose the option group that you created, and then you can continue. And then you can choose whether to apply it immediately or to apply it during the next maintenance window. Because I'm not going to do that now, I'm going to cancel and back out. So that's how you create your database instances, and that's how you configure the parameter groups and option groups. So before we close, let's quickly see how you connect to your instance. You can use any of the SQL clients to connect. For example, you could use SQL Electron. All right, this is one of the clients that I use. So you can simply download this one, and you can choose the executable based on your operating system. So, if you're using Windows, use this one, and if you're using a Mac, use this one. or you can choose as per your requirements. And once you install it in the connection information by using this add button here, just name your server, let's say My SQL on RDS, and choose the database type. It would be MySQL in our case. Then you can find the host address on the RDS console. So copy this, endpoint the port is 3306. I'm going to copy it here. And port is 3306. And then the master password—the master username and password that you created when you created the instance. If you want to connect over SSL, you can enable it. For now, we are good. And simply click on "Test" to check the connection. The connection test is successful. so we can save. And now we can use this connect option to connect to our instance. And here we are connected to our MySQL instance. And here is the database that we created. Right? So this was the database name that we provided when we created our instance. You can use different SQL queries here to talk to your instance. I'm not going to do that. It's not a SQL course, and it's not important from the examination perspective. I just wanted to show you how to connect to your instance from your computer. So that's about it. Thank you so much, and let's continue to the next lecture.

7. RDS security – Network

Now let's talk about RDS security. Now, security consists of three parts: network security, I, and encryption. Okay? So first we're going to talk about network security. You should always launch your RDS instances within a VPC, so that restricts access to your RDS instance from the Internet. All right? Generally, your RDS instance will sit in a private subnet, and you can have your ECTwo clients sitting in a public subnet from where you can access your audience instance. So basically, your application can be in a public subnet, and the database instance should remain in a private subnet within a VPC. Remember that you can't change the VPC after creating the database. And, as previously stated, you should always deploy your audience database on a private subnet rather than a public one. And RDS security works by using security groups. If you use security groups in EC Two, it's the same concept. It controls which IP addresses or which security groups can access your audience instance. And you can use security groups to control access at the database level, at the EC level, at the application level, and at the VPC level. And network security is a shared responsibility between AWS and you as a customer. So you should be familiar with the shared responsibility model. If not, you can learn more about it at this URL presented on the screen. Basically, what it means is that there are certain aspects of security that you are responsible for, and there are certain aspects that AWS takes on itself. So, in simple words, your responsibility includes checking the ports, IP addresses, security group in bond rules in your databases, and security group. Then you're responsible for the database users and their permissions. Or you can also manage that using IAM. Then you are the one who creates the database with or without public access for production use. You will never create a database with public access, all right? So it should always sit on a private subnet. And it's your responsibility to ensure that the parameter group or database is configured to allow only SSL connections. Okay? So this will ensure that your data is encrypted in transit. And what is AWS' responsibility? AWS ensures that your databases have no SSH access. There is no manual database patching, no manual OS patching, and there is no way for AWS to audit your underlying instance. So they don't have access to audit your instance. All right?

8. RDS security – IAM

Now let's look at RDS security from the IAM perspective. IAM is the Identity and Access Management Service of AWS, and you use IAM to secure access to your RDS database resources. You can use IAM policies to control who can manage AWS RDS through the RDS API. You can also use the traditional database username and password to log into the database. And in addition, you can also use IAM-based authentication to log into your RDS MySQL and RDS Postgres SQL databases. All right, and we're going to look at the Im-based authentication in a bit. Here are some of the best practises when using IIM with RDS. Im policies, as I said, are used to control who can create, access, or delete RDS resources in your account. You should always grant least-privileged access to groups, users, and roles, which grants only the permissions that are required for the particular task and not anything more. If there are any sensitive operations, you can use multifactor authentication, or MFA, and you can also use policy conditions to restrict access to selected IPS or within a specified date. Or you can use the policy conditions to require the use of SSL or MFA. Let's take a look at the IMDb authentication now. So, IMDb authentication works with MySQL and PostgreSQL database engines. And when you enable IT authentication, you don't need the database password. You can just use the authentication token that was obtained through Im to connect to your database. So how it works is that you have your database sitting in your VPC, and then you have the EC2 instance, and you attach an Im role to the instance, or it is easy to instance an Im role, and it gets an authentication token from the RDS service, and you pass that authentication token to your database and get authenticated. All right, so the authentication token is a temporary token with a lifetime of about 15 minutes. and the benefits are that the connection is always encrypted using SSL. and Im is used to centrally manage your users instead of a database. So all your users can be managed centrally in IAM centrally.And you don't have to manage users on each database individually. And using it allows you to make use of IAM roles and easy-to-create instant profiles for easy integration. So let's see how to use IMDb authentication. So, to use IMDb authentication, you use a policy that allows the action RDSDB Colon Connect, as you can see in this screenshot. First thing you do is enable IMDb authentication on your database cluster, and then you create a DBuser, the database user with a password. Then you attach the Im policy to map the database user to the Im role, and then you attach that Im role to an Im user. Or you can also attach it to an EC2 instance. And now you can connect to your database using the IM token that you receive from the audio service. And you simply connect over SSL, all right? Now let's look at the same process in detail. when you use MySQL as your database engine. So what you do is create your database user using the create user SQL command, something like this. And then you set that user to require SSL. Then you download the SSL certificate file from RDS, and then you can call the RDS service using the CLI to generate your authentication token. And then you can connect to your MySQL host or My SQL database by passing the certificate file along with the user and password. In the password, you simply pass the token that you received from the RDS service. All right? Also, keep in mind that you use native grant/revoke statements or database-specific privileges. You don't use IAM there, you use grant and revoke statements to provide access to database-specific permissions. All right, now let's quickly look at the process for Postgres SQL. The process is similar, just the commands are different. All right, so you create the user on the database. You grant RDSIM permissions to the user. Remember, when you use RDS, you don't have to modify any configuration files like pghp.com for database access, you simply use the DB grants or the grand statement. As you can see, we simply grant RDS underscore Im access to the username. And then you download the SSL certificate file from RDS. Then you can export the password onto your shell password, which will be the token that you receive back from RDS, and then you can connect your database host by passing the path to the certificate file and enabling the SSL mode equal to verifying the CA. Right? So this is the process you use with Postgres SQL, and again, you use native grant-and-revoke statements for DB-specific privileges. All right?

9. Rotating RDS DB credentials

Now, let's look at how you can rotate your database credentials. Now, the database credentials are sensitive and must be kept secure at all times. And that's why rotating your database credentials is a best practice. And you accomplish this by utilising AWS Secrets Manager. So AWS Secrets Manager is an AWS service that stores credentials centrally and securely and also supports auditing. And it allows you to automatically rotate your database credentials. So it provides you with a ready-to-use lambda function. And that function is already populated with the iron of the secret. And the function will help in rotating the password based on the rotation policies that you specify. Now, the Secrets Manager integrates with RDS for my sequel PostgreSQL, as well as with Aurora. All right, so it's simple. It's built into the service. You simply open the AWS Secrets Manager, and you can store your database credentials there. You can set up your rotation policies as per your requirements.

10. Windows authentication in RDS for SQL Server

Now let's look at the Windows authentication in RDS for SQL Server. So when you use SQL Server on RDS, you can log into your SQL Server database using your Windows credentials or your Microsoft Active Directory credentials. All right? So you can use your corporate directory credentials to log into your SQL Server on RDS. The process to set up Windows authentication in RDS is a little elaborate, so I'm going to explain that to you. So first thing you do is youcreate an AWS managed Microsoft Active Directory. So this is different from the Microsoft Active Directory. This is AWS. Managed Microsoft Active Directory. Directory. AWS managed Microsoft Active Directory is a service within AWS, and you create a directory within the AWS managed Microsoft Active Directory. And you set up a trust relationship between your corporate ad and this AWS-managed ad. And this trust relationship is called a forest trust. All right? And using the AWS managed Active Directory is agood choice if you have more than 5000 users. And if you need a trust relationshipbetween your on premise Active Directory. There are other mechanisms or options that you can use for Windows authentication. For example, you can use an Active Directory connector for an existing on-premise directory, or you can also use simple AD if you have fewer than 5000 users. So these are the alternatives to using AWS-managed Active Directory. So the way you use the AWS managed Active Directory is that you first create the AWS managed Active Directory, setup the Forest trust relationship, and then you set up your users and groups in the Active Directory. Then you modify your SQL Server instance, enable Windows authentication in the RDS instance, and map the Directory to the database instance. So, as you can see in this screenshot, when you enable SQL Server Windows authentication, you get an option to provide your Active Directory. So if you have created an Active Directory in your AWS account, it will show up in the drop-down list, and RDS will automatically create the necessary IAM roles. And now, once this is done, you can log into your SQL Server database using the Master user credentials and create SQL Server Windows logins for these Active Directory users. So this is an important step to know: you have to create SQL Server Windows logins for the Active Directory users to whom you want to give access to the SQL Server. They are not going to get access unless you create the credentials within your SQL Server database. So you have to create the SQL Server Windows logins for the users you want to allow access to your SQL Server. All right? So that's the process you use. The corporate users simply login with their corporate credentials, and they get access to your SQL Server on RDS. Alright, let's continue.

Pay a fraction of the cost to study with Exam-Labs AWS Certified Database - Specialty certification video training course. Passing the certification exams have never been easier. With the complete self-paced exam prep solution including AWS Certified Database - Specialty certification video training course, practice test questions and answers, exam practice test questions and study guide, you have nothing to worry about for your next certification exam.

Hide