RDS + Lambda security best practices

question

#1

I’m interested in better securing the RDS instances that Lambda accessing with Jets. I watched the introductory tutorial that is provided for jets, and two things stuck out to me:

  1. A database connection string with a plaintext password is used as an environment variable in Lambda to get an RDS connection.
  2. The lambdas are not launched in a VPC alongside the RDS instance by default; this means that the RDS instance is publicly accessible.

Both these things seem like bad practices, though I’m sure they were just shortcuts to cut down on video time. What’s the best way to mitigate these issues with Jets? I haven’t found anything in the docs.

I’m imagining the best way to go would be to remove public accessibility from RDS and allow my lambda to connect to the VPC the RDS instance is in via its role. Then I think I could remove the DB URL string in the environment variable. Does this sound the best approach, and, if so, how can I do this with Jets?

Associated video: https://www.youtube.com/watch?time_continue=59&v=yJIZFc9TZJo&feature=emb_title

Documentation website: https://community.rubyonjets.com/


#2

You can put it in a VPC and use AWS SSM to store database credentials:

https://rubyonjets.com/docs/considerations/vpc/
https://rubyonjets.com/docs/env-files/

I didn’t do the SSM part, but i did put my lambdas in a VPC. You can ask me if you need any further help! :slight_smile:


#3

somehow i missed the ssm thing