Cloud Database Security — Encryption, Auditing & Access Control Guide
In this tutorial, you'll learn about Cloud Database Security. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloud database security protects managed databases through encryption at rest and in transit, network isolation with firewall rules, IAM-based authentication, continuous audit logging, and built-in threat detection across AWS RDS, Azure SQL, and GCP Cloud SQL.
What You Will Learn
How to configure database encryption, restrict network access to databases, authenticate using cloud IAM instead of database passwords, and enable audit logging and threat detection.
Why It Matters
Databases store the most sensitive data in any cloud environment. A misconfigured database with public access and weak authentication is the fastest path to a data breach.
Real-World Use
A DodaTech application uses AWS RDS with IAM database authentication. No database passwords exist. The database is deployed in a private subnet with a security group that allows traffic only from the application tier. RDS audit logs capture every query.
Database Security Layers
flowchart TD
App[Application Server] -->|IAM Auth| Firewall["Database Firewall\nSecurity Group / ACL"]
Firewall -->|Private Subnet| DB[Managed Database]
DB --> Encrypt["Encryption at Rest\nAES-256 / TDE"]
DB --> Audit[Audit Logs\nAll Queries]
DB --> Backup[Automated Backups\nEncrypted]
subgraph Threat Detection
TD[Threat Detection\nAnomaly Detection]
TD --> Alert[Security Alert]
end
DB --> TD
style DB fill:#f90,color:#fff
style Firewall fill:#390,color:#fff
AWS RDS Security
AWS RDS supports encryption at rest with KMS, encryption in transit with TLS, network isolation with VPC security groups, and IAM database authentication.
# Create an encrypted RDS instance in a private subnet
aws rds create-db-instance \
--db-instance-identifier prod-orders \
--db-instance-class db.r6g.large \
--engine postgres \
--master-username dbadmin \
--master-user-password TempPass123! \
--storage-encrypted \
--kms-key-id alias/rds-key \
--vpc-security-group-ids sg-app-only \
--db-subnet-group-name private-subnets \
--publicly-accessible false \
--enable-iam-database-authentication \
--backup-retention-period 30
# Create a database user mapped to an IAM role
aws rds create-db-instance \
--db-instance-identifier prod-orders \
--master-username dbadmin \
--enable-iam-database-authentication
# Generate an IAM authentication token
aws rds generate-db-auth-token \
--hostname prod-orders.123456789012.us-east-1.rds.amazonaws.com \
--port 5432 \
--username app_user
# Output:
# prod-orders.123456789012.us-east-1.rds.amazonaws.com:5432/?Action=connect&DBUser=app_user&X-Amz-Credential=...
# Enable RDS audit logging
aws rds modify-db-instance \
--db-instance-identifier prod-orders \
--cloudwatch-logs-export-configuration '{"EnableLogTypes": ["audit"]}'
Azure SQL Database Security
Azure SQL provides transparent data encryption, Azure AD authentication, firewall rules, and Advanced Threat Protection.
# Create an Azure SQL Database with TDE enabled
az sql server create \
--name prod-sqlserver \
--resource-group prod-rg \
--admin-user dbadmin \
--admin-password "MyS3cur3P@ss!" \
--enable-ad-only-auth
# Configure firewall to allow only Azure services
az sql server firewall-rule create \
--resource-group prod-rg \
--server prod-sqlserver \
--name allow-azure-services \
--start-ip-address 0.0.0.0 \
--end-ip-address 0.0.0.0
# Enable Advanced Threat Protection
az sql db threat-policy update \
--resource-group prod-rg \
--server prod-sqlserver \
--name prod-db \
--state Enabled \
--storage-account threatstorage \
--retention-days 90
# Enable SQL auditing
az sql db audit-policy update \
--resource-group prod-rg \
--server prod-sqlserver \
--name prod-db \
--state Enabled \
--storage-account auditstorage \
--retention-days 365
az sql db audit-policy show \
--resource-group prod-rg \
--server prod-sqlserver \
--name prod-db
# Output:
# {
# "state": "Enabled",
# "retentionDays": 365,
# "storageAccountName": "auditstorage"
# }
GCP Cloud SQL Security
Cloud SQL supports customer-managed encryption keys, private IP, IAM database authentication, and audit logging.
# Create a Cloud SQL instance with private IP and CMEK
gcloud sql instances create prod-orders \
--database-version POSTGRES_14 \
--tier db-custom-2-7680 \
--region us-central1 \
--network prod-vpc \
--no-assign-ip \
--disk-encryption-key projects/my-project/locations/us-central1/keyRings/sql/cryptoKeys/sql-key \
--backup-start-time 03:00 \
--enable-point-in-time-recovery
# Enable IAM database authentication
gcloud sql instances patch prod-orders \
--database-flags cloudsql.iam_authentication=on
# Create a database user mapped to a GCP service account
gcloud sql users create app-sa@my-project.iam.gserviceaccount.com \
--instance prod-orders \
--type cloud_iam_service_account
# Enable audit logging for the instance
gcloud logging log-entries list \
--filter 'resource.type="cloudsql_database" AND resource.labels.database_id="my-project:prod-orders"' \
--limit 5
# Output:
# 2026-06-24T10:00:00Z cloudsql.googleapis.com/postgres.log
# 2026-06-24T10:00:05Z cloudsql.googleapis.com/mysql-general.log
IAM Authentication Benefits
Using IAM authentication eliminates database passwords. Access is granted through IAM roles and policies with temporary credentials. Rotating database access means rotating IAM permissions, not passwords.
Common Mistakes
- Database publicly accessible: The most common cloud database misconfiguration is a publicly accessible database with a weak password. Always use private IP or VPC-only access.
- No encryption at rest: Databases without encryption at rest are vulnerable to physical storage theft. Enable encryption by default on all databases.
- Using database passwords instead of IAM auth: Passwords can leak. IAM authentication with short-lived tokens is more secure. Use it wherever supported.
- No audit logging: Without audit logs, you cannot detect unauthorized queries or prove Compliance. Enable audit logging on all production databases.
- Weak backup security: Backups without encryption expose data. Encrypt backups and store them in a separate account or region.
Practice Questions
- How does IAM database authentication work in AWS RDS?
- What is the difference between TDE and column-level encryption in Azure SQL?
- How does GCP Cloud SQL support customer-managed encryption keys?
- Why should databases be deployed in private subnets?
- How can you audit all SQL queries executed against a cloud database?
Challenge
Deploy a secure database architecture for a multi-tier application. Create an encrypted AWS RDS PostgreSQL instance in a private subnet with IAM authentication. Restrict security group ingress to only the application tier. Enable audit logging to CloudWatch. Create a GCP Cloud SQL instance with private IP and customer-managed encryption key. Write IAM policies that grant the application service account access to both databases. Test connectivity from the application tier only.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro