Are IAM Database credentials enough for public RDS

Question

I understand that it is a long upheld tradition to put your database servers in a private subnet and use a bastion host to access them as needed. But thinking specifically about cloud architecture, does that setup really make sense anymore?

What I am struggling to understand is why a publicly-accessible EC2 instance, that connects to my RDS servers, is more secure than a publicly accessible RDS instance that implements IAM Database Authentication? In both cases, I would use Security Groups to limit incoming connections.

I am using PostreSQL, and according to AWS documentation, enabling IAM authentication will enforce IAM credentials ( whereas for MySQL, I think password authentication will still work).

So is a bastion host really more secure than IAM Authentication and why?

Answer 1

The best security has multiple layers of security. For example, if an ex-staff member has credentials to the database, can they access it from outside of your corporate network? Or if somebody gains access to your bastion, can they also obtain access to the database?

So, yes, it could be considered safe enough to use authentication and to limit access to a specific IP address. It all depends upon your Risk Appetite. If the database contains confidential information that would be highly embarrassing for your company if exposed, then the additional layers of security can be worthwhile.