7

If we have a MySQL RDS in AWS which can only be accessed from the EC2's in the private subnet then is there any benefit in encrypting it from security point of view (Using default RDS encryption). Because the only way somebody can access the DB is when he gets inside the private subnet of AWS and in that case encrypting and not encrypting does not help as anyway the hacker can access the data from the EC2. Then only difference it would make it is that with encrypted RDS it will take him more time to dump the data and copy it somewhere else for his use. Otherwise what are the other benefits of having a private RDS instance encrypted? Assuming the only backup's of DB are in AWS itself using its default DB Instance backup, so nobody can access the data directly from DB backups too.

Rahul
  • 824
  • 1
  • 12
  • 27
  • 2
    Compliance comes to mind. Also, if you want to ship that database somewhere for backups, or whatever. – Jordan Jun 29 '15 at 12:55
  • Agree, compliance was the only reason that is forcing us to do it, But I am arguing from a developer point of view as to why should I do it for no other benefit. – Rahul Jun 29 '15 at 12:57
  • There's no "developer point of view" benefit to it, just like there's not really a developer POV benefit to having backups. The developer POV is not what encryption is there for. – ceejayoz Jun 29 '15 at 13:07
  • The developer POV was that encryption will degrade performance (not much though). But I do not believe that your analogy fits here, having backup is un-avoidable, we can't do anything if the DB server crashes without backup. But if we are sticking to the rule that nobody is taking the DB backup out of AWS network (which I had mentioned in the question) then we might do away with encryption. – Rahul Jun 29 '15 at 13:17

1 Answers1

4

Defense in depth is one great reason to do this. Are you 100% certain that accessing the database from EC2 is the only way a person can get this database in their possession? (The answer should be no.)

Full database encryption causes minimal performance degradation; it's not nearly as bad as encrypting individual fields, which can cause 5-6% slower read/write times on an encrypted column.

Bryan Batty
  • 58
  • 6