AWS Instant Dataset security

How to secure standalone Instant Datasets using AWS

The documentation in this Release Instant Datasets section is for the standalone product. For the Instant Datasets feature in the Release Environments as a Service product, start here instead.

By default, your standalone Instant Datasets are available on the internet and secured by one or more passwords. This level of security should be enough for fake or seed data, but may not be secure enough for sensitive information or if your organization adheres to restricted data access policies.

Securing your standalone Instant Datasets

Follow these guidelines to enhance the security of your RDS instances and safeguard your data while keeping dataset access easy and efficient.

IP address restrictions

This feature is under development and may change. Please check back periodically for the latest updates.

One of the simplest ways to secure your Instant Datasets is to restrict connections to a specific set of IP addresses, allowing developers to access their database instances from well-known sources, such as home laptops or a corporate VPN.

To restrict access to your Instant Datasets based on IP address, you'll need:

  • Some basic working knowledge of AWS security groups and RDS. Read the AWS documentation to get oriented.

  • The source IP addresses allowed to access your Instant Datasets. Find IP addresses using Google or by locating the IP address of your VPN egress. (Currently, AWS RDS and Aurora public instances only use IPv4.)

  • Access to the AWS account integrated with Release Instant Datasets to change security groups. You can modify security groups with the CLI, UI, or whichever method you use to maintain infrastructure, like Terraform.

  • The VPC ID used for your standalone Instant Datasets. The security group that you will need to change and update will be named according to this pattern: standalone-datasets-${vpc_id}.

Example console changes

These examples show you how to edit security group rules using the AWS console, but you can also edit and set security group rules using any tool at your disposal, for example, the AWS CLI, Terraform, or CloudFormation.

Navigate to the EC2 console and select Security groups. Find the security group to edit and click on it.

Edit the rules for the port your Instant Datasets use by adding the source IP addresses and blocks to be granted access to your databases. You can delete any port entries you don't need.

Save your changes and test the new security group rules are working by trying to access your Instant Datasets from an unauthorized source like a WiFi hotspot or public access point.

Randomized Passwords

This feature is still in development.

By default, all your Instant Datasets are assigned the same administrative password, giving full access rights to the underlying database and tables. This may be sufficient security for a single user or small teams, but sharing the password increases the risk of it being exposed and making all your databases created in the dataset vulnerable to unauthorized access.

You can enable randomized passwords for each database in your dataset so that a single password leak does not grant access to all databases.

Last updated