I’ve had this list on a post-it note on my monitor for all of 2022. I figured it was time to write it down, and reuse the space.
In summary, AWS suffers from the same problem that almost every other product does. It sacrifices improved security for backward compatibility of functionality. IMO this is not in the best practices of a data ecosystem that is under constant attack.
- Storage should be encrypted by default. When you launch an RDS cluster its storage is not encrypted. This goes against their own AWS Well-Architected Framework Section 2 – Security.
- Plain text passwords. To launch a cluster you must specify a password in plain text on the command line, again not security best practice. At least change this to using a known secret from AWS secrets manager.
- TLS for administrative accounts should be the only option. The root user should only be REQUIRE SSL (MySQL syntax).
- Expanding on …