A computer engineer poking at your cerebral cortex.

Amazon RDS Security import

February 8, 2012
So today I’m going to import my databases into Amazon RDS. RDS is amazon implimentation of redudant mysql database servers. The amazon documents simply tell you do a mysqldump to new RDS instance. If you know anything about security you should not be doing this over geographic locations. For example many times you will be doing this from your existing data center into the amazon cloud. You better trust every hop from your data center to the RDS instance if you are doing this. Don’t believe me? run this command during the export/import: 
tcpdump -l -i eth0 -w - src or dst port 3306 | strings

and you will see your mysql insert statements flying by in plain text into the amazon cloud. Now how to fix this but only 99% more secure. The first thing I do is spin up an EC2 instance in the zone my RDS instance is in. Once that is up I take an export of my database using mysqldump to my local disk. Then I gzip the file and securely scp the database from my local machine to the amazon EC2 instance. Now you have your database located on the amazon network and it is ready to be imported into the RDS instance. Now when you import the database it won’t be going outside amazon network. You can confirm this with a quick ping of your RDS instance hostname from inside your EC2 instance and it will resolve to a 10.xx.xx.x IP. Chances are your ping won’t succeed though. This just means ICMP is disabled on amazon networking devices. The important part is the IP starts with 10.x which means it is a local IP within amazon local network. The reason I say 99% secure is because your data is still traveling through amazon networking devices. I’m already trusting my data with amazon so I hoping everything is up to par with the networking equipment as well.

Now this adds a level of complexity when anyone goes to use local tools like mysql query browser, mysql administrator tool and other tools that communicate over port 3306. Since you don’t want to be doing anything over port 3306 again you have to figure out a way to bypass this. The below command will make an SSH tunnel from your local machine, to the amazon EC2 instance and then to the amazon RDS instance:

ssh -L 3308:amazonRDS_host_name:3306 root@amazonEC2_host_name

I will explain this command briefly. The first thing you notice is 3307. This is the port you will be connecting to on your local machine. So when you load the mysql query browser you will put port 3307 in the port field. The reason I pick 3307 is because many times I’m also running a local copy mysql server that is already listening on port 3306 and I don’t want the two to conflict. The second entry amazonRDS_host_name:3306 is the host name and port for your amazon RDS instance. The last entry is the EC2 instance you are connecting to. Now I have ssh keys setup here so I can log in automatically. Usually you will also have to specify your pem file with -i *.pem for authentication or setup what I did with ssh keys. Now fire up your favorite database query program and when you connect use:

hostname: 127.0.0.1
port:     3307
and you will be connected to your RDS instance through your SSH tunnel. I could have even done a mysqldump and pipped it to the ssh tunnel for the import into the RDS instance. I don’t do this because many times the databases are very big and gzip, scp, and network speeds between the EC2 instance and RDS instance are allot better solution.