# Security

{% hint style="info" %}
This page was generated from content adapted from the [AWS Developer Guide](https://github.com/awsdocs/amazon-rds-user-guide.git)
{% endhint %}

## Database authentication

* **Important**\
  We strongly recommend that you do not use the master user directly in your applications. Instead, adhere to the best practice of using a database user created with the minimal privileges required for your application.
* **Note**\
  Currently, Kerberos authentication isn't supported for MariaDB DB instances.

## Password management with RDS and Secrets Manager

* **Note**\
  This policy enforces password management in AWS Secrets Manager at creation. However, you can still disable Secrets Manager integration and manually set a master password by modifying the instance.\
  To prevent this, include `rds:ModifyDBInstance`, `rds:ModifyDBCluster` in the Action block of the policy. Be aware, this prevents the user from applying any further modifications to existing instances which do not have Secrets Manager integration enabled.

## Infrastructure security

* **Note**\
  If your DB instance is in a VPC but isn't publicly accessible, you can also use an AWS Site-to-Site VPN connection or an AWS Direct Connect connection to access it from a private network. For more information, see [Internetwork traffic privacy](https://github.com/kevinslin/aws-reference-notes/blob/main/services/amazon_rds/inter-network-traffic-privacy.md).

## Controlling access with security groups

* **Note**\
  If your DB instance is in a VPC but isn't publicly accessible, you can also use an AWS Site-to-Site VPN connection or an AWS Direct Connect connection to access it from a private network. For more information, see [Internetwork traffic privacy](https://github.com/kevinslin/aws-reference-notes/blob/main/services/amazon_rds/inter-network-traffic-privacy.md).
* **Note**\
  The RDS console displays different security group rule names for your database if the Port value is configured to a non-default value.

## Master user account privileges

* **Important**\
  We strongly recommend that you do not use the master user directly in your applications. Instead, adhere to the best practice of using a database user created with the minimal privileges required for your application.
* **Note**\
  If you accidentally delete the permissions for the master user, you can restore them by modifying the DB instance and setting a new master user password. For more information about modifying a DB instance, see [Modifying an Amazon RDS DB instance](https://github.com/kevinslin/aws-reference-notes/blob/main/services/amazon_rds/Overview.DBInstance.Modifying.md).

## Service-linked roles

* **Note**\
  You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. If you encounter the following error message:\
  **Unable to create the resource. Verify that you have permission to create service linked role. Otherwise wait and try again later.**\
  Make sure you have the following permissions enabled:
* **Important**\
  If you were using the Amazon RDS service before December 1, 2017, when it began supporting service-linked roles, then Amazon RDS created the AWSServiceRoleForRDS role in your account. To learn more, see [A new role appeared in my AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
* **Note**\
  You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. If you encounter the following error message:\
  **Unable to create the resource. Verify that you have permission to create service linked role. Otherwise wait and try again later.**\
  Make sure you have the following permissions enabled:


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://awsnotes.dendron.so/database/amazon-rds/common/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.