demonishen - Fotolia

Is Amazon Aurora's security strong enough for enterprises?

Without encryption for data at rest, is encrypting data in transit with Amazon Aurora enough, or is it worth waiting for AWS Key Management System integration?

The new Amazon Aurora database is now available, but I read it does not offer all of the features that regular MySQL databases do, and it doesn't have AWS Key Management System integration yet. How will this affect enterprise security, and should enterprises wait to adopt the technology?

Amazon Aurora is a highly scalable MySQL-compatible relational database. Aurora is designed to be compatible with MySQL 5.6, at least at lower levels, so drivers and applications that work with MySQL 5.6 should work with Aurora. Not all MySQL features are available in Aurora. For example, Aurora uses the InnoDB storage engine, but the MyISAM storage engine is not available.

From a security perspective, the lack of encryption at rest is perhaps the most salient. According to the AWS Aurora FAQ:

"Q: Does Amazon Aurora encrypt my data in transit and at rest?
Amazon Aurora uses
SSL (AES-256) to secure data in transit. Encryption for data at rest will be available in a future release."

This is certainly going to limit Amazon Aurora's adoption. Any organization subject to regulations that require data encryption at rest will not be able to use Aurora unless they implement an application-based encryption process that ensures any data written to Aurora is encrypted prior to writing to the database. This requires customers to manage keys as well as the encryption and decryption process.

Some organizations may prefer this option since they retain control over the keys. High security organizations or those that manage confidential information on behalf of others may choose this route to mitigate the possibility of a disclosure. For example, if Amazon were subpoenaed to turn over a customer's data and it does not have access to the encryption keys, then it could only turn over encrypted data.

Lack of encryption at rest is a significant drawback relative to other RDS databases. Every organization needs to weigh the benefits of design choices against the security risks those choices entail. The current version of Aurora will appeal to those that need the scalability of the new database more than they need managed encryption at rest. For those who need key management and encryption at rest, consider other RDS services.

Next Steps

Learn more about different cloud database platform options

Find out what security controls Amazon Elastic File System offers

Understand how to choose between AWS and Azure cloud databases

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices