Heroku的与Amazon RDS安全 [英] Heroku with amazon RDS security

问题描述

我已经安装了与亚马逊RDS实例Heroku的应用程序。

I've setup our heroku app with an amazon RDS instance.

我跟着导游在这里： https://devcenter.heroku.com/articles/amazon_rds

I followed the guide here: https://devcenter.heroku.com/articles/amazon_rds

本指南基本上说来要求SSL的连接，然后输入您的RDS凭据。

This guide basically says to require SSL with the connection and then to input your RDS credentials.

这似乎不是很安全我。如果有人有我的数据库URL，用户和密码，然后就可以在任何地方登录，正确吗？该SSL是好的，prevent嗅探这些信息，但我想，以进一步锁定下来，一台机器，IP地址或SSH。

This doesn't seem very secure to me. If someone has my db url, user and password then they can login from anywhere, correct? The SSL is nice to prevent sniffing of this info, but I'd like to lock it down further, to a machine, IP address or SSH.

我previously设置RDS数据库实例中访问被锁定到只有特定的IP地址，但Heroku的不再建议使用此无论出于何种原因。

I previously setup RDS DB instances where access was locked down to only specific IPs, but heroku no longer recommends this for whatever reason.

所以，问题是：

• 是我的假设是否正确吗？

• Are my assumptions correct here?

我怎样才能锁定此进一步下降？

How can I lock this down further?

为什么不Heroku的建议锁定下来，以IP（或至少IP范围）

Why doesn't heroku recommend locking it down to IP (or at least IP range)

我会通过Heroku的支持，运行这个也和发布更新，而是想从社会获得的想法。

I'll run this by heroku support as well and post an update, but wanted to get thoughts from the community.

推荐答案

previously，Heroku的建议锁定的访问通过引用Heroku的AWS帐户ID。 这种方法不再推荐。 Heroku的更新日志条目列出的原因，在这里重现的完整性：

Previously, Heroku recommended locking down access by referencing the Heroku AWS account ID. That approach is no longer recommended. The Heroku changelog entry lists the reasons, reproducing here for completeness:

• 跨安全补助金不与 AWS VPC 工作（这是现在在AWS上的默认）
• 这不是安全的，因为它允许访问在Heroku上运行，而不仅仅是你的
所有的应用程序
• 在不跨AWS地区合作
• 在Heroku上可能会在一个VPC或在不同的区域，或使用不同的AWS帐号以后运行的应用程序

• Cross-security grants don't work with AWS VPC (which is now the default on AWS)
• It's not safe because it grants access to all apps running on Heroku, not just yours
• Doesn't work across AWS regions
• Heroku may in the future run apps in a VPC or in a different region or use a different AWS account

我们知道，并不是所有的客户都满意的访问粒度的这个层面上，我们正不断评估这是否是最佳设置。

We know that not all customers are happy with this level of access granularity, and we're continuously evaluating whether this is the optimal setup.

这篇关于Heroku的与Amazon RDS安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！