14 July,2022 by Rambler
A question that comes up often when planning moving from an on-premises DBMS utilising Active Directory as an identity access management system to a Cloud Native setup - is what are the alternative methods available when applying to AWS? One method available is AWS IAM
Changing the identity management systems governing access controls to a DBMS is critical . Business processes , logic , membership management are all tied into to accessing data. There are many organizations who don't want to extend AD into the Cloud, and there are other considerations such as standardizing access , and the list goes on ....
This a summary of AWS IAM considerations. Some of it is based on AWS consultants and I've placed links to more in-depth articles , and other information is my own observations\questions
Pattern
--The general advice from AWS is that IAM should generally used for applications creating fewer than 200 connections per second and you don't want to manage usernames\passwords
Benefits
-- Don't need to maintain passwords
Review AWS documentation for a more robust list of benefits
Limitation
--Application must generate an authentication token . How does an application go about generating an authentication token? Transitioning to a token generating system will require application refactoring. In comparison to a Kerberos based system where there is a more built-in & established token management system.
-- Works with MariaDB,MySQL ,PostgreSQL - does it work with other DBMS ? How agnostic is IAM - one of the major disadvantages is you're coupling access to DBMS resources with the authentication methodology , rather than integrating at the DBMS level.
--There is a potential added complexity with utilising IAM based authentication around cross-account access in comparison to authentication at the DBMS level.
If Batch or ETL type workloads are attempting to access DBMS Resources across multiple accounts , then extra provision is required on the IAM user setup . Typically an ETL or batch job may touch multiple DBMS system and other resources such as S3 . These multiple resources may span across multiple accounts. I see this happening either through an EC2 or even an EKS resource , for example accessing multiple RDS resources across multiple accounts.
This situation is achievable through IAM - but there is an added level of role management and associating with the IAM user.
Summarised Steps
=> Enable Password and IAM database authentication
=> Create an IAM user\role , create policy and associate the user with the policy.
=>Create a db user
=>Generate token and use to connect to PostgreSQL with IAM role
For a more detailed description of these steps check Using IAM authentication to connect with pgAdmin Amazon Aurora PostgreSQL or Amazon RDS for PostgreSQL
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |