-3

I created 3 DB instances in RDS (one Postgres, one MySQL, one SQL Server). I was able to attach to and work with all 3 from my Mac at home, so all the pieces seem to be in place and working.

I created 3 security groups (VPC), one for each DB...

  PG_DB_SECGRP
  MS_DB_SECGRP
  SS_DB_SECGRP

... and want to assign each security group to its associated DB (PG_DB_SECGRP => Postgres, etc...). I see all security groups, including default groups, assigned to all of the DBs when I view the list using the Instance Modify screen (RDS -> Instances -> [pick a DB instance] -> Instance Actions -> Modify). It appears that when a new security group is created, it automatically gets associated with all the DBs.

First, is my plan to secure each DB with one security group I created for it (list above) reasonable? Again, Im new to AWS and unsure of my footing. If this is a reasonable thing to do, how can I disassociate all the unwanted groups from the DB? IOW, how can I remove them from the list? There appears to be no way to do this through the gui.

I believe the access I am getting is through default security groups that were created when the DB instance was launched. If I am successful at disassociating the default security groups from the DB, and then deleting the default security groups, will access to the DB instance be picked up through the remaining security group that I created for the DB (the one remaining in the list)?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
daveg
  • 1,051
  • 11
  • 24

1 Answers1

2

It appears that when a new security group is created, it automatically gets associated with all the DBs.

No definitely not. You did that yourself.

First, is my plan to secure each DB with one security group I created for it (list above) reasonable?

Yes

It sounds like you didn't pay attention when you were stepping through the RDS creation GUI and selected all security groups, or allowed RDS to create and assign a default security group or something.

To modify the security groups you need to go into the RDS console, select a single RDS instance, and select "Modify". In the modification screen the security groups will be in a multi-select list. Make sure to deselect all unwanted security groups and only select the security group you want assigned to this RDS instance.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Hi: Thanks for the reply. – daveg Feb 21 '17 at 15:01
  • Hi: Thanks for the reply. I beg to differ with regard to new security groups automatically being assigned to existing RDS DB instances. I just created one called TEST. It automatically appeared in all 3 of my DB instances. No kidding ! With regard to dropping security groups from the "modify instance" list, mechanically, how is that done? – daveg Feb 21 '17 at 15:11
  • I just created a security group. It did not get automatically assigned to any of my RDS instances. That would be a huge security issue if that was happening. Perhaps you are looking at your list of all available security groups instead of the list of groups that are actually assigned to the instance. – Mark B Feb 21 '17 at 15:20
  • Regarding the mechanics of selecting, deselecting security groups, I don't know how to go into any more detail than I did in my answer. It's a simple HTML multi-select list. – Mark B Feb 21 '17 at 15:21