3

Quick Context: I often come across videos where people build apps using SQL database services alongside serverless functions (like AWS Lambda, Vercel, and others) without setting up a VPC to keep the database in a private subnet. Its understable, since putting a Lambda function inside a VPC is that it loses internet access unless you configure a NAT instance or NAT Gateway, since Lambda functions in a VPC can’t have public IPs.

For my use cases, I’m not dealing with ultra-sensitive data — but I still don’t want to leave things wide open for attacks (Because of that, I chose to go with DynamoDB instead.). But I’m trying to better understand the risks and downsides of using databases with public IPs.

Having database in private subnet appears to be a necessary precaution given this deepseek example (and for this as well), even though many developers tend to avoid it. The extra security layer I’ve come across for protecting a public-facing database is the use of client certificates. But that leads to an important question: Is this method secure enough? Or is having a publicly reachable database still a relevant security problem even with this authentication method?

Improve this question
4
  • 2
    one of the most secure approaches I’ve come across for protecting a public-facing database the most secure and by far the most common way to protect a database is to use an API and web methods.
    – Greg Askew
    CommentedApr 23 at 6:55
  • From our help center: "Security is a very contextual topic: threats that are deemed important in your environment may be inconsequential in somebody else's, and vice versa. [...] To get the most helpful answers you should tell us: - what assets you are trying to protect - who uses the asset you're trying to protect, and who you think might want to abuse it (and why) - what steps you've already taken to protect that asset - what risks you think you still need to mitigate"
    – D.W.
    CommentedApr 23 at 17:15
  • @GregAskew Doing that doesn’t actually protect the database. You could still have public IP on the database even if you have an API using that database. I think you might be confusing a publicly accessible database with a database that has no password, which would allow any random person to connect to.
    – Vitor Figueredo Marques
    CommentedApr 23 at 21:17
  • @VitorFigueredoMarques: certificate authentication for databases usually have very narrow and specific use cases, and is easily less than one percent of implementations. A good example of because you can doesn't mean that you should. Also architectural limitation most databases aren't accessed directly.
    – Greg Askew
    CommentedApr 23 at 21:36

2 Answers 2

Reset to default
3

The security of certificate based authentication (as in your case) mainly depends on the protection of the private key for the certificate, i.e. that it should be kept private. There are different ways to protect the private key with different security properties - like having the key plain on the client system, have it password protected, have it protected by hardware like in a smartcard etc.

Of course, the security also depends on proper implementation and configuration of certificate based authentication, including that is a properly verified that only the expected certificate is used (instead of accepting various others too), ideally that it is checked that the certificate was not revoked (include a proper certificate managment which will revoke compromised certificates) and of course that there is no alternative way to access the database without the certificate.

Is this (kind of) secure? Yes, better than simply password based authentication.

Is this secure enough with your specific (unknown) way to protect the private key and your specific (unknown) security requirements and your specific (unknown) implementation and configuration of authentication? This is unknown.

In any case: if the database does not need to be publicly reachable it should not be configured this way. If it will only be accessed from specific networks, then access should be restricted to these. Certificate based authentication is not a replacement for network based access control, instead these should be seen as different aspects of access control and can also be used together.

Improve this answer
4
  • In the deep seek case, theoretically they don't have access to the data since they don't have the password, so would securing a password be the same as secure a password with a cert?. Does the certificate prevent people from discovering the database?
    – Vitor Figueredo Marques
    CommentedApr 22 at 20:24
  • 2
    @VitorFigueredoMarques: Client certificates and password both provide authentication, but the authentication mechanism of certificates is stronger since (contrary to passwords) private keys for certificates are impossible to guess or brute force. Preventing database discovery is done through proper authentication which cannot by bypassed. Client certificates for authentication could help in this, but are not the only way.
    – Steffen Ullrich
    CommentedApr 22 at 20:40
  • So I database CANNOT be discovered without actually successfully connecting to it? Doesn't a message saying "Hey, your password is incorrect" or "this certificate is invalid" or even a different response that you woudn't get from a non existent public host isn't by itself a database discovered that allows hackers to find a way of getting information or even makes getting access to the database more likelly?
    – Vitor Figueredo Marques
    CommentedApr 22 at 21:06
  • 3
    @VitorFigueredoMarques: The official TCP ports of PostgreSQL or MySQL are publicly known. If a client can connect to those ports at all, this does reveal the existence of a database system, regardless of whether the client is actually able to authenticate. And a malicious client may very well check for misconfigurations or vulnerabilities. To completely hide the system, you need to run it behind, e.g., a firewall which blocks all IP addresses except those of legitimate clients. Or you restrict the database system to a private network, forcing external clients to connect via a VPN gateway.
    – Ja1024
    CommentedApr 23 at 1:57
5

Like in your previous question, you're conflating two separate concerns. How much you expose the database system and which authentication method you choose are orthogonal problems. For less critical data, it can be perfectly fine to have a database system accessible over the Internet with password authentication only. On the other hand, for particularly critical data, it may be appropriate to use strong authentication with client certificates and keep the database system away from any public network.

Making a database system accessible to an application is always a risk, and it's up to you (or whoever is responsible for the project) to determine the importance of the data and the resulting security requirements. Note this is not only a matter of how much you expose the database system and which authentication method you choose. For example, even if the system is completely hidden in a private network and protected with very strong authentication, an attacker may still be able to issue arbitrary queries through an SQL injection. So it's generally a good idea to have multiple layers of security instead of relying on one aspect only (like client authentication).

  • Depending on how critical the data is, make the database system publicly accessible, implement basic network-level access control (like IP checks) or restrict the system to a private network, forcing external clients to connect through a VPN gateway.
  • Choose an appropriate authentication mechanism. Password authentication can be perfectly fine as long as you generate the passwords randomly, only transmit them over TLS and store them securely on the client system. If you believe client certificates are more suitable in your case, go ahead.
  • Use different database roles for different purposes and restrict their permissions as much as possible. For example, a normal user shouldn't be able to view or change arbitrary data, even if they've found a way to issue raw queries (e.g., through an SQL injection).
  • It's crucial for application developers to prevent SQL injection vulnerabilities using prepared statements, escaping or whitelisting.
  • Keep all software up-to-date. The best protection may be pointless if it can be bypassed with a vulnerability.
Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.