DEV Community: rodrigo carvajal The latest articles on DEV Community by rodrigo carvajal (@rodrigo_carvajal). https://dev.to/rodrigo_carvajal https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2074061%2F13edfeff-a8f8-47ab-82ef-d03b3ffdccfe.jpeg DEV Community: rodrigo carvajal https://dev.to/rodrigo_carvajal en Create a secure AWS RDS instance with CDK rodrigo carvajal Sun, 15 Sep 2024 02:32:14 +0000 https://dev.to/rodrigo_carvajal/create-a-secure-aws-rds-instance-with-cdk-5baf https://dev.to/rodrigo_carvajal/create-a-secure-aws-rds-instance-with-cdk-5baf <p>TLDR; This is the <a href="https://github.com/ksco92/single_instance_rds" rel="noopener noreferrer">GitHub package</a> with the code. <a href="https://github.com/ksco92/single_instance_rds/blob/master/lib/single-instance-rds.ts" rel="noopener noreferrer">This is the class</a> that has everything. You can consume it as an <a href="https://www.npmjs.com/package/single_instance_rds" rel="noopener noreferrer">NPM module</a> too. This is not comprehensive, and many things can be added to make it better.</p> <h2> Background </h2> <p>Building infrastructure is complicated. Building secure infrastructure is even more complicated. With the vast amount of features provided by cloud providers and all the possible combinations of requirements, we can’t possibly expect to have a “how-to” guide for everything. This is the first in a series of posts going through examples of creating secure infrastructure and all the possible security features I can think of adding to it based on 10 years of experience using AWS. This specific post is for getting started on PostgreSQL on AWS RDS.</p> <h2> Overall picture </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ylmylt3gkpnzh8wq6p6.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ylmylt3gkpnzh8wq6p6.jpg" alt="Image description"></a></p> <p>This creates an RDS instance with two points of access (a bastion host and a network load balancer). All the data is encrypted at rest, the root credentials are rotated daily, and all queries are logged to CloudWatch. To be able to actually run a query, there are two paths:</p> <ul> <li> <p><strong>Through the bastion. Requires</strong>:</p> <ul> <li>Having key pair <code>.pem</code> file</li> <li>Making the query through a specific IP</li> <li>Have access to the console or the EC2 API to get the bastion address</li> <li>Have access to the console or the SM API to get the credentials</li> </ul> </li> <li> <p><strong>Through the NLB. Requires:</strong> </p> <ul> <li>Making the query through a specific IP</li> <li>Have access to the console or the EC2 API to get the NLB address</li> <li>Have access to the console or the SM API to get the credentials.</li> </ul> </li> </ul> <h2> Networking </h2> <p>The core of the networking section is the VPC.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Vpc</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">MainVPC</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ipAddresses</span><span class="p">:</span> <span class="nx">IpAddresses</span><span class="p">.</span><span class="nf">cidr</span><span class="p">(</span><span class="dl">'</span><span class="s1">10.0.0.0/16</span><span class="dl">'</span><span class="p">),</span> <span class="na">vpcName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">MainVPC</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">private</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">natGatewayProvider</span><span class="p">:</span> <span class="nx">NatProvider</span><span class="p">.</span><span class="nf">instanceV2</span><span class="p">({</span> <span class="na">instanceType</span><span class="p">:</span> <span class="nb">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">T3</span><span class="p">,</span> <span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">MICRO</span><span class="p">),</span> <span class="p">}),</span> <span class="na">natGateways</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">flowLogs</span><span class="p">:</span> <span class="p">{</span> <span class="na">cw</span><span class="p">:</span> <span class="p">{</span> <span class="na">destination</span><span class="p">:</span> <span class="nx">FlowLogDestination</span><span class="p">.</span><span class="nf">toCloudWatchLogs</span><span class="p">(</span><span class="k">new</span> <span class="nc">LogGroup</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VPCFlowLogs</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">encryptionKey</span><span class="p">:</span> <span class="nx">flowLogsKmsKey</span><span class="p">,</span> <span class="nx">removalPolicy</span><span class="p">,</span> <span class="na">logGroupName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">vpcflowlogs</span><span class="dl">'</span><span class="p">,</span> <span class="na">retention</span><span class="p">:</span> <span class="nx">RetentionDays</span><span class="p">.</span><span class="nx">ONE_YEAR</span><span class="p">,</span> <span class="p">})),</span> <span class="na">trafficType</span><span class="p">:</span> <span class="nx">FlowLogTrafficType</span><span class="p">.</span><span class="nx">ALL</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>This creates a VPC with two public subnets and two private subnets. For the purpose of cost savings, it uses a NAT instance EC2 rather than regular NAT gateways. Use NAT gateways for real production environments. Most importantly, it sends the <a href="https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html" rel="noopener noreferrer">VPC flow logs</a> to CloudWatch, which can be used to monitor traffic in the VPC.</p> <p>Another important aspect is the VPC endpoint for Secrets Manager:</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nf">addInterfaceEndpoint</span><span class="p">(</span><span class="dl">'</span><span class="s1">SMEndpoint</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="nx">InterfaceVpcEndpointAwsService</span><span class="p">.</span><span class="nx">SECRETS_MANAGER</span><span class="p">,</span> <span class="na">subnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>This ensures that if any resource inside the private subnets calls Secrets Manager, the calls are directed through the endpoint, avoiding the public internet.</p> <p>You can see the security groups and their rules in the source code, but at a high level, the bastion and NLB can connect to RDS, and only specific public IP addresses can connect to the NLB and bastion.</p> <h2> RDS </h2> <p>The RDS instance has a large number of possible settings; I’ll be highlighting the important ones related to security here.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">this</span><span class="p">.</span><span class="nx">rds</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DatabaseInstance</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RDSDB</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">engine</span><span class="p">:</span> <span class="nx">DatabaseInstanceEngine</span><span class="p">.</span><span class="nf">postgres</span><span class="p">({</span> <span class="na">version</span><span class="p">:</span> <span class="nx">PostgresEngineVersion</span><span class="p">.</span><span class="nx">VER_16</span><span class="p">,</span> <span class="p">}),</span> <span class="na">vpc</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="na">allowMajorVersionUpgrade</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="nx">Credentials</span><span class="p">.</span><span class="nf">fromGeneratedSecret</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">appName</span><span class="p">,</span> <span class="p">{</span> <span class="na">secretName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">appName</span><span class="p">,</span> <span class="na">encryptionKey</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Key</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RDSDBSecretKMSKey</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">enableKeyRotation</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">alias</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RDSDBSecretKMSKey</span><span class="dl">'</span><span class="p">,</span> <span class="nx">removalPolicy</span><span class="p">,</span> <span class="p">}),</span> <span class="p">}),</span> <span class="na">databaseName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">appName</span><span class="p">,</span> <span class="na">iamAuthentication</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">instanceIdentifier</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">appName</span><span class="p">,</span> <span class="na">instanceType</span><span class="p">:</span> <span class="nx">dbInstanceType</span><span class="p">,</span> <span class="nx">removalPolicy</span><span class="p">,</span> <span class="na">storageEncryptionKey</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Key</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RDSDBKMSKey</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">enableKeyRotation</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">alias</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RDSDBDBKMSKey</span><span class="dl">'</span><span class="p">,</span> <span class="nx">removalPolicy</span><span class="p">,</span> <span class="p">}),</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="p">},</span> <span class="na">securityGroups</span><span class="p">:</span> <span class="p">[</span> <span class="k">this</span><span class="p">.</span><span class="nx">rdsSecurityGroup</span><span class="p">,</span> <span class="p">],</span> <span class="na">port</span><span class="p">:</span> <span class="nx">rdsPort</span><span class="p">,</span> <span class="na">allocatedStorage</span><span class="p">:</span> <span class="nx">dbStorageGib</span><span class="p">,</span> <span class="na">storageType</span><span class="p">:</span> <span class="nx">StorageType</span><span class="p">.</span><span class="nx">GP3</span><span class="p">,</span> <span class="na">monitoringInterval</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="na">enablePerformanceInsights</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">performanceInsightRetention</span><span class="p">:</span> <span class="nx">PerformanceInsightRetention</span><span class="p">.</span><span class="nx">MONTHS_3</span><span class="p">,</span> <span class="na">performanceInsightEncryptionKey</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Key</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RDSDBInsightsKMSKey</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">enableKeyRotation</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">alias</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RDSDBInsightsKMSKey</span><span class="dl">'</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">}),</span> <span class="na">cloudwatchLogsRetention</span><span class="p">:</span> <span class="nx">RetentionDays</span><span class="p">.</span><span class="nx">ONE_YEAR</span><span class="p">,</span> <span class="na">cloudwatchLogsExports</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">postgresql</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">log_min_duration_statement</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Here they are:</p> <ul> <li> <code>credentials</code>: This creates a random password stored in a secret in SM. The secret also has a KMS key, which means that accessing it requires multiple permissions and it is encrypted at rest.</li> <li> <code>storageEncryptionKey</code>: Adds encryption to the storage at rest.</li> <li> <code>vpcSubnets</code>: Since <code>SubnetType.PRIVATE_WITH_EGRESS</code> is specified, it means the RDS endpoint is not accessible from the public internet. This is crucial as it means that only resources from inside the VPC can actually make a connection to it.</li> <li> <code>enablePerformanceInsights</code>, <code>performanceInsightRetention</code> and <code>performanceInsightEncryptionKey</code>: This enables <a href="https://aws.amazon.com/rds/performance-insights/" rel="noopener noreferrer">Performance Insights</a>, while technically not security related, it is great to find bad queries via this feature that could be anomalous in nature and origin. Also, makes these logs encrypted at rest.</li> <li> <code>cloudwatchLogsRetention</code>, <code>cloudwatchLogsExports</code> and <code>parameters</code>: These make it so that every single query is logged into CloudWatch, where monitoring and alarming can be set up.</li> </ul> <p>Additionally, we make the root user password be rotated every day:</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <p><span class="k">this</span><span class="p">.</span><span class="nx">rds</span><span class="p">.</span><span class="nx">secret</span><span class="o">!</span><span class="p">.</span><span class="nf">addRotationSchedule</span><span class="p">(</span><span class="dl">'</span><span class="s1">RDSDBSecretRotation</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><br> <span class="na">automaticallyAfter</span><span class="p">:</span> <span class="nx">passwordRotationInterval</span><span class="p">,</span><br> <span class="na">hostedRotation</span><span class="p">:</span> <span class="nx">HostedRotation</span><span class="p">.</span><span class="nf">postgreSqlSingleUser</span><span class="p">({</span><br> <span class="na">vpc</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span><br> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span><br> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span><br> <span class="p">},</span><br> <span class="na">securityGroups</span><span class="p">:</span> <span class="p">[</span><br> <span class="nx">rdsRotationSecurityGroup</span><span class="p">,</span><br> <span class="p">],</span><br> <span class="na">functionName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RDSDBSecretRotation</span><span class="dl">'</span><span class="p">,</span><br> <span class="p">}),</span><br> <span class="p">});</span></p> </code></pre> </div> <h2> <br> <br> <br> Bastion host<br> </h2> <p>The bastion host, which acts like a tunnel so people can run queries, has nothing special aside from not having any permissions to do anything and having the boot drive encrypted at rest.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <p><span class="k">this</span><span class="p">.</span><span class="nx">bastion</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Instance</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">BastionHost</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><br> <span class="na">instanceType</span><span class="p">:</span> <span class="nb">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">T3</span><span class="p">,</span> <span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">MICRO</span><span class="p">),</span><br> <span class="na">machineImage</span><span class="p">:</span> <span class="nx">MachineImage</span><span class="p">.</span><span class="nf">latestAmazonLinux2023</span><span class="p">(),</span><br> <span class="na">vpc</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span><br> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span><br> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span><br> <span class="p">},</span><br> <span class="na">keyPair</span><span class="p">:</span> <span class="nx">KeyPair</span><span class="p">.</span><span class="nf">fromKeyPairName</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">BastionKeyPair</span><span class="dl">'</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">bastionKeyPairName</span><span class="p">),</span><br> <span class="na">securityGroup</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">bastionSecurityGroup</span><span class="p">,</span><br> <span class="na">blockDevices</span><span class="p">:</span> <span class="p">[</span><br> <span class="p">{</span><br> <span class="na">deviceName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/dev/xvda</span><span class="dl">'</span><span class="p">,</span><br> <span class="na">mappingEnabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span><br> <span class="na">volume</span><span class="p">:</span> <span class="nx">BlockDeviceVolume</span><span class="p">.</span><span class="nf">ebs</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="p">{</span><br> <span class="na">deleteOnTermination</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span><br> <span class="na">volumeType</span><span class="p">:</span> <span class="nx">EbsDeviceVolumeType</span><span class="p">.</span><span class="nx">GP3</span><span class="p">,</span><br> <span class="na">encrypted</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span><br> <span class="na">kmsKey</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Key</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">BastionKMSKey</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><br> <span class="na">enableKeyRotation</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span><br> <span class="na">alias</span><span class="p">:</span> <span class="dl">'</span><span class="s1">BastionKMSKey</span><span class="dl">'</span><span class="p">,</span><br> <span class="nx">removalPolicy</span><span class="p">,</span><br> <span class="p">}),</span><br> <span class="p">}),</span><br> <span class="p">},</span><br> <span class="p">],</span><br> <span class="p">});</span></p> </code></pre> </div> <h2> <br> <br> <br> Network load balancer<br> </h2> <p>This is a tricky part. You can’t directly make an RDS instance a target of an NLB; additionally, the CDK constructs don’t expose the private IP address of the RDS instance. Because of this, I created a custom resource that makes an API call to get the address and pass it as a target for the NLB. You can see the source code for more details on the custom resource.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <p><span class="k">this</span><span class="p">.</span><span class="nx">nlb</span><span class="p">.</span><span class="nf">addListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">RDSListener</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><br> <span class="na">port</span><span class="p">:</span> <span class="nx">rdsPort</span><span class="p">,</span><br> <span class="na">defaultTargetGroups</span><span class="p">:</span> <span class="p">[</span><br> <span class="k">new</span> <span class="nc">NetworkTargetGroup</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RDSTargetGroup</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span><br> <span class="na">port</span><span class="p">:</span> <span class="nx">rdsPort</span><span class="p">,</span><br> <span class="na">targetType</span><span class="p">:</span> <span class="nx">TargetType</span><span class="p">.</span><span class="nx">IP</span><span class="p">,</span><br> <span class="na">targets</span><span class="p">:</span> <span class="p">[</span><br> <span class="k">new</span> <span class="nc">IpTarget</span><span class="p">(</span><span class="nx">getPrivateIp</span><span class="p">.</span><span class="nf">getResponseField</span><span class="p">(</span><span class="dl">'</span><span class="s1">NetworkInterfaces.0.PrivateIpAddress</span><span class="dl">'</span><span class="p">)),</span><br> <span class="p">],</span><br> <span class="na">vpc</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span><br> <span class="na">targetGroupName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RDSTargetGroup</span><span class="dl">'</span><span class="p">,</span><br> <span class="p">}),</span><br> <span class="p">],</span><br> <span class="p">});</span></p> </code></pre> </div> <h2> <br> <br> <br> Conclusion<br> </h2> <p>There you have it, a (mostly) straightforward way to create a secured RDS instance. However, this is not comprehensive. Many things, like CloudTrail and S3 IAM roles, can be added. And I will cover these in future posts. Feel free to reach out with questions or comments.</p> <p>Live long and prosper. 🖖🏽 </p> aws infrastructureascode database awscdk