All geek questions in one place

Heroku with RDS Attack Protection

I installed our heroku application using an Amazon RDS instance.

I followed the guide here: https://devcenter.heroku.com/articles/amazon_rds

This guide basically says that SSL is required with the connection, and then for entering your RDS credentials.

This does not seem very safe to me. If someone has my db-url, user and password, then they can log in from anywhere, right? SSL is good to prevent this information from sniffing, but I would like to block it further, by machine, IP address or SSH.

I previously configured RDS DB instances where access was blocked only for specific IP addresses, but heroku no longer recommends this for any reason.

So the questions are:

  • Are my assumptions correct here?

  • How can I block this further?

  • Why the hero does not recommend blocking it to IP (or at least the IP range)

I ran this with heroku support and posted an update, but wanted to get thoughts from the community.

+1
source share
1 answer

Earlier, Heroku recommended blocking access by specifying the Heroku AWS account ID. This approach is no longer recommended . The Heroku change record lists the reasons reproduced here for completeness:

  • Firewall grants do not work with AWS VPC (which is now the default for AWS)
  • This is unsafe because it provides access to all applications running on Heroku, not just yours.
  • Does not work in AWS regions.
  • Heroku may run applications in the VPC or in another region in the future, or use a different AWS account

We know that not all customers are satisfied with this level of access granularity, and we constantly evaluate whether this is the best setting.

+1
source

Source: https://habr.com/ru/post/910932/

More articles:


All Articles