Heroku with amazon RDS security - mysql

I've setup our heroku app with an amazon RDS instance.
I followed the guide here:
https://devcenter.heroku.com/articles/amazon_rds
This guide basically says to require SSL with the connection and then to input your RDS credentials.
This doesn't seem very secure to me. If someone has my db url, user and password then they can login from anywhere, correct? The SSL is nice to prevent sniffing of this info, but I'd like to lock it down further, to a machine, IP address or SSH.
I previously setup RDS DB instances where access was locked down to only specific IPs, but heroku no longer recommends this for whatever reason.
So the questions are:
Are my assumptions correct here?
How can I lock this down further?
Why doesn't heroku recommend locking it down to IP (or at least IP range)
I'll run this by heroku support as well and post an update, but wanted to get thoughts from the community.

Previously, Heroku recommended locking down access by referencing the Heroku AWS account ID. That approach is no longer recommended. The Heroku changelog entry lists the reasons, reproducing here for completeness:
Cross-security grants don't work with AWS VPC (which is now the default on AWS)
It's not safe because it grants access to all apps running on Heroku, not just yours
Doesn't work across AWS regions
Heroku may in the future run apps in a VPC or in a different region or use a different AWS account
We know that not all customers are happy with this level of access granularity, and we're continuously evaluating whether this is the optimal setup.

Related

What is the best way to setup an AWS RDS Dev Team Environment (using MySQL)?

I am using a LAMP Stack hosting everything in AWS.
For my production servers, I have the DB Server sitting behind the webserver, and not accessible to the internet.
For my development instance, I have it setup similarly, in the same VPC, with a public/private subnet, and a route enabled via IP addresses to access it from outside AWS. This way, I can connect SQL Developer on my local computer and code/develop on my local computer while having access to my dev database.
However, I am now in the process of hiring several interns, and I don't think adding their individual IP addresses to allow them connectivity is the best approach. Especially since some of them may be coming from college campuses and IP addresses are not static.
After some searching around, I can't seem to find the best approach to setup AWS to enable a dev environment and a group of folks access to the DB from their local machines.
Should I setup a VPN?
Should I continue to use the IP address method?
Am I missing something?
I can't imagine I'm the only one in this boat.
Thanks in advance.

Cannot connect to instance after reboot

its second time when after reboot instance cannot connect to them via SSH. Before reboot all is working well. Can I use serial console, but not know the user and password.
In addition to the guide provided by #Kolban. When using serial console keep in mind that:
The interactive serial console does not support IP-based access
restrictions such as IP whitelists. If you enable the interactive
serial console on an instance, clients can attempt to connect to that
instance from any IP address. Anybody can connect to that instance if
they know the correct SSH key, username, project ID, zone, and
instance name.
More information you can find in the documentation Interacting with the Serial Console.
There're more ways to troubleshoot SSH connectivity then serial console. Have a look at the Troubleshooting SSH guide and Known issues for SSH in browser. In addition, Google provides a troubleshooting script for Compute Engine to identify issues with SSH login/accessibility of your Linux based instance.
In some cases, the cause of the connectivity problem could be running out of free space of you disk system. In this case update your question and I'll provide you extra instructions.

Connect to AWS RDS instance in VPC using local client

I have an application running on EC2 instances that store data in an RDS instance. All of these instances are in an AWS VPC with security groups configured to allow them to connect to each other.
For reporting purposes, I would like to connect to the RDS instance from my laptop (e.g. using SQLAlchemy) to run simple queries. Every time I try to connect using the connection string that the EC2 apps use, the connection times out.
For Google, one can use the Cloud SQL proxy for this, but I can't find an analogous product for AWS. Instead, it seems like what I am supposed to do is attach an internet gateway to the VPC and configure the security groups to allow connection from my machine. However, the documents are unclear on how to do this other than allowing all inbound connections or allowing a static IP. Unfortunately my laptop doesn't have a static IP, and I'm uncomfortable allowing all inbound connections as it seems insecure and an invitation to attacks. I also have not been able to find a way to configure a security group to allow connections based on IAM credentials for example using the AWS CLI. Since I will be routinely generating reports, a solution that involves updating a security group (i.e. allowing my current IP) every time I want to connect seems suboptimal.
I have tried following the following documents, but so far have had no success in finding a solution that does not allow all connections:
Allow users to connect to RDS using IAM*
Connecting to RDS instance from command line
Connecting to RDS on VPC from internet
*My RDS instance configuration does not allow me to enable IAM authentication, I'm not sure why
IAM Database Authentication is not supported for the configuration in the DB Instance db.
Modify your Db Instance to another instance class and try again.
(Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterCombination;
Request ID: a6194fb8-2ab9-4a6a-a2be-63835e6e0184)
Is there something I'm not understanding or overlooking? Is allowing connections from all IPs not a big deal since the DB instance is still secured by DB user credentials?
Select this connection as per screenshot. Then fill up all details use your nat instance .pem file to connect. Its like you are connecting to VPC through Nat gateway or Internet gateway bypassing this.
Another option to install VPN on VPC and connect.

Amazon Web Service RDS Connection Failure

I am trying to locally run a PHP based project, connecting to an Amazon RDS instance. I am receiving the following error in the browser:
![SQLSTATE[HY000] [2002]]1
I have run a series of networking tests where I pinged the following and received successful test results. I pinged:
iiNet's web address
One of iiNet's DNS servers
The loopback address of my computer
I pinged Google
I then tried the mysql utility to remotely connect and received the
ERROR 2003 (HY000): Can't connect to MySQL server
Last factor I think you should know regarding my own networking situation, I am connecting to the internet via:
modem->Zyxel VPN->Wireless Router->My laptop
What in the Sam Hill is going on?
Thanks,
CM
For this to work, the following must be true:
the RDS instance must resolve to a public IP address (I'd check this for you but since you chose to use a screenshot instead of text, I can't copy paste it, so I'll leave it to you)
the Security Group(s) associated with the RDS instance must allow traffic from your public IP ( the one you'll get from http://wtfismyip.com/text ). This won't bet true by default. I highly recommend you open to your IP, not just everyone, as Mysql is trivial to DOS attack if its port is public.
The network ACL of the VPC hosting the RDS instance must allow the traffic also. This will be allowed by default, so unless you changed the ACLs in your VPC, you can ignore this.
If all those are true, you should be able to connect!

Connect to ONLINE MySQL database using DSN ODBC 2

I am facing this problem:
stackoverflow question
except my host doesn't seem to have cpanel. Since the answer given in the linked question is cpanel related it has not helped me. Is there anything I can do?
It seems you are trying to connect from a client machine located on your desk to a mySQL server instance located in a service provider's server farm. You're trying to use the ODBC "driver" for mySQL to do this, so you can look at your mySQL data with MS Access. (Right?)
You need to make sure this particular hosting service provider allows remote connections to their mySQL server instances. Some service providers, especially the lowest-cost ones, prevent these remote connections using firewalls or other network isolation techniques. (They do that because it's easier to control both security and performance when only their own web servers can connect to their mySQL servers. ) If your service provider prevents all these connections as a matter of policy, you're going to need another service provider.
If they DO allow remote connections, you may need to enable those connections for your mySQL database. That's what the "cpanel" function mentioned in the other question is about. cpanel is a popular control panel web application offered by many commercial hosting service providers to allow self-service control by their customers. If your service provider doesn't use cpanel, you'll have to find out what they do use. Even if they do use cpanel, they may still not allow remote mySQL connections.
You will also have to make sure your client machine (the one running ODBC) and user have authorization in the mySQL user database.
You would do well to put in a service ticket to your service provider asking if they do offer remote mySQL access. If they say "yes," then you can ask them for advice and help on setting it up.
Keep in mind that opening mySQL server instances for direct connection over the publicly accessible internet is not ordinarily considered a good security practice. If the data in your database is in any way private (peoples' identity information, for example) you need to be very careful indeed.