0

I'm migrating a small Aspnet MVC website from Godaddy shared hosting to AWS. I already have an EC2 configured and a duplicate website is already running on a IP. I will next migrate the domain to Route53. The problem is the database is still on Godaddy so I'm pointing to that database on Godaddy from EC2. So far it's working totally fine in responsiveness, etc. but is there any security concern I need to worry about? I have a pretty standard connection string in web.config with IP, username and password. What are the things I should care about passing those details such as database user and password from AWS network to godaddy network over Internet. How would the data travel between Godaddy and AWS? Plain texts, encrypted?

Laurence
  • 7,633
  • 21
  • 78
  • 129
  • Data travels from AWS to Godaddy through internet so its not a good practice to make your db open to internet. – Ashan Jul 02 '17 at 16:34

1 Answers1

0

Exposing your DB directly to the internet is generally not a good idea and gets DBAs really nervous (or worse) for good reason. If you can move the DB to AWS (or the app back to GD), do that. If you can't, still try to make the move. That said if you can't, it's happening a lot more and the trend will likely continue increasing.

If you employ strong security lockdown of your DB and have alerts in place to for attacks, your concerns shift significantly to DOS and zero day attacks. I don't know how well Godaddy handles DOS/DDOS attacks; AWS does a pretty good job. Zero days are tougher. Apart from making sure you're up-to-date with patches, you're left setting up alerts for security bulletins relevant to your stack.

How you lockdown your DB will vary by maker but a few (non-exhaustive) basic principals you shouldn't neglect:

  • always use secure channel, no plain text ever and always verify server certificate
  • whitelist, not blacklist - only allow/listen to what is known, everything else is considered bad
  • least privileges for accounts, always
  • get rid of defaults as permitted/recommended by the DB maker
  • setup alerts for unusual/unexpected activity by valid users/logins
  • have a well tested, up-to-date plan for what you will do that Saturday morning at 1:15am when you receive that "You've been pwned, send bitcoins here" email
SQLmojoe
  • 1,924
  • 1
  • 11
  • 15