AWS Data Store Security: Managing Access, Locks, and Permissions
Manage locks to prevent access to data (for example, Amazon Redshift, Amazon RDS)
AWS Data Store Security: Managing Access, Locks, and Permissions
This guide covers the critical mechanisms used to secure and "lock down" data within the AWS ecosystem, specifically focusing on Amazon Redshift, Amazon RDS, and Amazon S3. In the context of the Data Engineer Associate exam, "locks" refer to both transaction-level concurrency controls and administrative data protection mechanisms like S3 Object Lock.
Learning Objectives
- Configure Role-Based Access Control (RBAC) and permissions in Amazon Redshift.
- Implement Row-Level Security (RLS) and Dynamic Data Masking (DDM) to protect sensitive data.
- Differentiate between Governance and Compliance modes in S3 Object Lock.
- Utilize AWS Secrets Manager for secure credential rotation and access prevention.
- Apply the principle of least privilege using IAM and Lake Formation.
Key Terms & Glossary
- RBAC (Role-Based Access Control): A method of regulating access to computer or network resources based on the roles of individual users within an enterprise.
- RLS (Row-Level Security): A security feature that allows you to control access to rows in a database table based on the user executing a query.
- DDM (Dynamic Data Masking): A security feature that masks sensitive data in the result set of a query without changing the actual data on disk.
- S3 Object Lock: A feature that allows you to store objects using a "Write Once, Read Many" (WORM) model to prevent deletion or overwriting.
- KMS (Key Management Service): A managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
The "Big Idea"
Securing data in AWS is not a single-step process but a layered defense-in-depth strategy. While IAM controls who can reach the database (Authentication), database-level permissions and features like RLS and DDM control what they see once they are inside (Authorization). For high-compliance environments, "locking" data through S3 Object Lock provides a physical-level guarantee that even administrators cannot delete records, ensuring data integrity and sovereignty.
Formula / Concept Box
| Mechanism | Primary Goal | AWS Service |
|---|---|---|
| GRANT / REVOKE | Object-level permissions (Tables, Views) | Redshift, RDS |
| Object Lock | Prevent data deletion/modification (WORM) | Amazon S3 |
| Secrets Manager | Prevent hardcoded credentials in code | RDS, Redshift |
| Lake Formation | Centralized fine-grained access (Table/Column) | S3, Athena, Redshift |
Hierarchical Outline
- I. Amazon Redshift Security Layers
- A. Authentication: IAM-based or database-native users.
- B. Authorization (RBAC): Creating roles and nesting them for granular control.
- C. Data Privacy:
- 1. Row-Level Security (RLS): Filtering based on user attributes.
- 2. Dynamic Data Masking (DDM): Obfuscating PII (Personally Identifiable Information) at query time.
- II. Amazon S3 Data Protection (Locks)
- A. Object Lock Modes: Governance vs. Compliance.
- B. Versioning: Prerequisite for Object Lock.
- C. Access Points: Fine-grained entry paths for specific datasets.
- III. Credential Management
- A. AWS Secrets Manager: Auto-rotation of passwords for RDS and Redshift.
- B. IAM Roles: Eliminating the need for long-term access keys.
Visual Anchors
Credential Access Workflow
Redshift Security Architecture
\begin{tikzpicture}[node distance=1.5cm, every node/.style={fill=white, font=\small}] \draw[fill=blue!10] (0,0) circle (3cm); \draw[fill=blue!20] (0,0) circle (2.2cm); \draw[fill=blue!30] (0,0) circle (1.4cm); \draw[fill=blue!40] (0,0) circle (0.6cm);
\node at (0,2.6) {Network (VPC/SG)};
\node at (0,1.8) {Identity (IAM/RBAC)};
\node at (0,1.0) {Privacy (RLS/DDM)};
\node at (0,0) {Encryption};\end{tikzpicture}
Definition-Example Pairs
- Governance Mode (S3): A lock mode where users with special permissions (e.g.,
s3:BypassGovernanceRetention) can still delete objects.- Example: A development bucket where logs are protected from accidental deletion by interns, but can be cleared by senior DevOps engineers.
- Compliance Mode (S3): A strict lock mode where no user, including the root user, can delete the object until the retention period expires.
- Example: Storing financial audit records that must legally exist for 7 years without any possibility of alteration.
Worked Examples
1. Creating a Read-Only Role in Redshift
To implement RBAC and prevent unauthorized write access, follow these steps:
- Create the role:
CREATE ROLE analyst_role; - Grant permissions:
GRANT SELECT ON ALL TABLES IN SCHEMA public TO ROLE analyst_role; - Assign user:
GRANT ROLE analyst_role TO USER jdoe;
2. Configuring S3 Object Lock via CLI
To ensure data sovereignty and prevent deletion of a specific object:
# Put an object with a 30-day compliance lock
aws s3api put-object --bucket my-compliance-bucket --key record.pdf --body record.pdf \
--object-lock-mode COMPLIANCE --object-lock-retain-until-date "2023-12-31T00:00:00Z"Checkpoint Questions
- What is the difference between S3 Governance mode and Compliance mode?
- Which service should be used to automatically change a database password every 30 days without manual intervention?
- How does Redshift Dynamic Data Masking (DDM) differ from Row-Level Security (RLS)?
- True or False: Object Lock can be enabled on an existing S3 bucket that does not have Versioning enabled.
Comparison Tables
RDS vs. Redshift Security Features
| Feature | Amazon RDS | Amazon Redshift |
|---|---|---|
| Access Control | IAM & Database Native | IAM & RBAC (Roles) |
| Encryption at Rest | KMS (AES-256) | KMS or HSM (Hardware Security) |
| Fine-Grained Security | Plugin-dependent | Native RLS & DDM |
| Credential Storage | Secrets Manager Integration | Secrets Manager & IAM Credentials |
Muddy Points & Cross-Refs
[!IMPORTANT] Common Confusion: IAM vs. Database Roles IAM controls access to the cluster management (e.g., rebooting, resizing). Database roles (RBAC) control access to the data inside (e.g., tables, rows). Just because an IAM user has
AdministratorAccessdoesn't mean they can see data inside a Redshift table if RLS is enabled and they aren't authorized.
Deeper Study Pointers:
- Check AWS Lake Formation for cross-account data sharing (Redshift Data Sharing).
- Review AWS Config for monitoring changes to security group rules or bucket policies in real-time.