2

When using a Cloud DB Provider like the Amazon RDS service, the service is responsible for various things like patching / updates / backup etc, does that mean that Amazon employees have access to the data within the DB itself?

If so, is there any way of ensuring that the provider's employees do not have access - to potentially misuse the data?

One way that I am aware of is by using Encryption at rest i.e. have my application encrypt sensitive data before saving to the DB and decrypt it on retrieval. However, this is not only an overhead in terms of performance but also requires changes to my application itself.

I am guessing that most customers who contemplate using a cloud DB service would probably have this as their first concern but I am somehow unable to get any specific answer around this either from the Amazon help / RDS security notes.

Note : While I understand that this is not really a programming question but i do feel that its not generic enough for programmers so I am posting it here.

Jagmag
  • 10,283
  • 1
  • 34
  • 58
  • [Oracle RDS](https://forums.aws.amazon.com/thread.jspa?messageID=430199) and [MySQL RDS](https://forums.aws.amazon.com/thread.jspa?messageID=430198) does not seem to support encryption at rest yet. Transit is [SSL encrypted](http://aws.amazon.com/about-aws/whats-new/2012/10/10/amazon-rds-sqlserver-announces-SSL-support/). – CC. Mar 05 '13 at 01:02

1 Answers1

1

No, they don't. There is a ton of security around how data is managed and who has access to it. http://aws.amazon.com/security/

Ryan Parman
  • 6,855
  • 1
  • 29
  • 43
  • I had checked out this link but I dont see anything in particular here besides the 3rd party certifications like SOC1 , FISMA etc that seem to validate employee access and controls Is that what you are referring to here as well? – Jagmag Nov 03 '12 at 03:18
  • There are very, very few people who have this kind of access to anything, and for security reasons, it's very highly regulated and only occurs under circumstances where the customer is fully-aware and/or has explicitly requested it. Even then, AWS might not have anybody look at the data if it can be avoided. – Ryan Parman Nov 08 '12 at 00:39