Skip to main content

RDS Security Setup

Overview

This document outlines the security architecture and configuration for the production PostgreSQL RDS instance, implementing a multi-layered security approach that restricts direct database access and enforces controlled connectivity through designated components.

RDS-Security-Architecture.drawio (2).png

Architecture Summary

The RDS security setup follows a defense-in-depth approach with the following key components:

  • Direct Access Restriction: Production database access is completely blocked from external sources
  • Bastion Host Access: Administrative database access is routed through a dedicated bastion host
  • Application Access: ECS applications connect to RDS via pgBouncer connection pooling
  • Monitoring Integration: Dedicated monitoring server access for database health tracking

Network Architecture

Core Components

Component

Type

Purpose

IP Address

RDS Instance

AWS RDS PostgreSQL

Production Database

Private (VPC Internal)

Bastion Host

EC2 Instance

Dev Access

bastion.bynry.com

pgBouncer

EC2 Instance

Connection Pooling

172.31.71.204 (Private), 44.192.49.230/32 (Public)

ECS Services

AWS ECS

Application Layer

VPC Internal

Signoz Server

Monitoring

Database Monitoring

34.45.94.131/32

Network Segmentation

  • VPC: Default VPC configuration
  • Subnets: All components deployed in the same default VPC
  • CIDR Block: 172.31.0.0/16 (Default VPC range)
  • Database Port: PostgreSQL standard port 5432

Security Group Configuration

RDS Security Group (prod-RDS-sg)

Security Group ID: sg-0d9700c4c35b54663
Description: Security group for Prod RDS instance
VPC ID: vpc-01316b55757ad35c6

Inbound Rules (6 Permission Entries)

Rule ID

Type

Protocol

Port

Source

Purpose

sg-0f5b3a225c82e38d8

PostgreSQL

TCP

5432

172.31.0.0/16

VPC-wide access

sg-0728124eeaa2f6b4f

PostgreSQL

TCP

5432

sg-00bdfaf2f1ef8bb7d

pgBouncer sg

sg-00a67366051a46dc7

All traffic

All

All

34.45.94.131/32

Signoz Monitoring Server

sg-077a50b439ff9f8db

PostgreSQL

TCP

5432

sg-0abdaeaa89f3fd075

Bastion-access

sg-06d533d2a93025d31

All TCP

TCP

0-65535

44.192.49.230/32

pgBouncer -ip (aws)

sg-0854f3b1afd7a5a3c

PostgreSQL

TCP

5432

sg-03da5a052502e134

ALB-sg

Outbound Rules (1 Permission Entry)

  • Default: All outbound traffic allowed (standard AWS default)

Access Patterns

1. Administrative Access (DBA/DevOps)

[DOCUMENT]

Connection Flow: External User → Bastion Host → RDS

  • Access Method: SSH connection to bastion host, then database tools (DBeaver)
  • Bastion Host: bastion.bynry.com
  • Credentials:
    • Username: bastion-ssh-user
    • Password: bastion-user
  • Database User: authuser
  • Security Control: All administrative access must go through the bastion host

2. Application Access (ECS Services)

Connection Flow: ECS Services → pgBouncer → RDS

  • Connection Method: ECS applications connect to pgBouncer at private IP 172.31.71.204
  • pgBouncer Role: Connection pooling and management
  • Database User: authuser (shared application user)
  • Security Control: pgBouncer security group (sg-00bdfaf2f1ef8bb7d) allows access to RDS

3. Monitoring Access

Connection Flow: Signoz Server → RDS

  • Purpose: Database performance and health monitoring
  • Source IP: 34.45.94.131/32
  • Access Type: Direct monitoring queries
  • Protocol: All traffic allowed for comprehensive monitoring


Security Controls

Access Restrictions

  1. No Direct External Access: RDS instance cannot be accessed directly from the internet
  2. Bastion Host Requirement: All human administrative access must use the bastion host
  3. Application Isolation: ECS services can only access RDS through pgBouncer
  4. Source IP Restrictions: Specific IP addresses are whitelisted for monitoring and access

Authentication

  • Method: Traditional PostgreSQL username/password authentication
  • Primary Database User: authuser
  • No IAM Database Authentication: Using standard PostgreSQL authentication

Network Security

  • VPC Isolation: All components operate within the same VPC
  • Security Group Enforcement: All access controlled through AWS security groups
  • Port Restrictions: Only PostgreSQL port 5432 exposed (except for monitoring)

Security Group Dependencies

Key Security Group References

  • pgBouncer Security Group: sg-00bdfaf2f1ef8bb7d - Allows pgBouncer to RDS communication
  • Additional Application Groups:
    • sg-0abdaeaa89f3fd075
    • sg-03da5a052502e134

Bastion Host Security Group

  • Inbound: All traffic, all ports (for administrative flexibility)
  • Outbound: All traffic, all ports (for database tool connectivity)


Connection Procedures

For Developers/DevOps (via Bastion)

  1. SSH connect to bastion.bynry.com using provided credentials
  2. Use DBeaver or preferred database client from bastion host
  3. Connect to RDS using internal RDS endpoint
  4. Authenticate with authuser credentials

For Applications (via pgBouncer)

  1. ECS services connect to pgBouncer at 172.31.71.204:5432
  2. pgBouncer manages connection pooling to RDS
  3. Authentication handled by pgBouncer configuration
  4. pgBouncer forwards connections to RDS using authuser


Security Compliance

Current Security Posture

Direct Access Blocked: No direct internet access to RDS
Bastion Host Control: Administrative access controlled through bastion
Application Isolation: ECS services isolated through pgBouncer
Source IP Restrictions: Monitoring access limited to specific IPs
Port Restrictions: Only necessary ports exposed
VPC Isolation: All components within controlled VPC environment


Document Version: 1.0
Last Updated: 26 June 2025
Maintained by: DevOps

No Comments
Back to top