AWS Custom Engine Versions for Amazon RDS Custom for Oracle – Sightseeing Tour Part 2/3 – Connectivity and what you get

This is the second part of the blog post series about AWS Custom Engine Versions for Amazon RDS Custom for Oracle. In this part we take a look how we can connect to the Oracle database host and to the database itself by a tool like the Oracle SQL Developer. The blog post series:

Connect as Schema User

The username and the password for the SQl*Plus connect are the ones you have added as Master username and Master password during CEV RDB instance creation process. The database endpoint is visible in the RDS instance details. Example when the client has network access to the database instance host – routing and security group are set. Details how to connect: Creating an Oracle DB instance and connecting to a database on an Oracle DB instance – Amazon Relational Database Service (amazonaws.com)

SQL*Plus Connect on Command Line as ADMIN

ADMIN has roles like dba and datapump_exp_full_database, take care about this password.

Secrets Manager

During the RDS CEV instance creation process, there is no option to add any SSH key.The only one password what you can set is the Master Password for the database instance for a first connect. From our first blog post, we know that the EC2 instance name is db-Q6ELCPBQUYBZXZSLTVTFZWZJLM. The second part of the string can be used as filter in the Secrets Manager.

Two secrets are listed:

do-not-delete-rds-custom-ssh-privatekey-db-<db-random-id>-<random-id> For EC2 instance SSH access as user ec2-user
do-not-delete-rds-custom-db-<db-random-id>-<random-id> For Oracle database connect as user RDSADMIN (high privileged)

 

To get the values, just select the secret and press the Release secret value button. Example for the password for the Oracle RDSADMIN user – for the SSH user you will get the private SSH key.

SQL*Plus Connect on Command Line as RDSADMIN

SSH Access to the Oracle host as ec2-user, change to rdsdb and login AS SYSDBA

What you get

Login and db* DBBASENV Output

 

Architecture

Even with 19c, you will get a single instance database, no Multitenant Option is enabled.

Characterset

The characterset is US7ASCII – I don’t see or found a way to change it during CEV instance creation process.

Redo Log Files

Four redo log groups, each with one file only – no mirroring.

Control File

One file only.

Block Devices

File System

Oracle binaries are on mountpoint /rdsdbbin, the controlfile, datafile, ADR logs etc. on /rdsdbdata.

File Owner

Owner of the Oracle related files is OS user rdsdb.

Parameters

The database parameters are based on the AWS default.custom-oracle-ee-19 parameters group and cannot be changed in the AWS console.

 

Backup

AWS uses the general RDS backup mechanism with disk snapshots. Visible in the database alertlog. There are no RMAN information about database backups in the controlfile.

OS Release

Oracle Database Security Assessment

I did a quick run with dbsat after the initial setup. Here is the overview of the findings. There are no high risks. If you are interested in the details, the html file is on my github repository https://github.com/martinberger-ch/aws-cev-oracle.git.

Summary Part 2/3

To connect to a privileged database user like ADMIN which was defined during the CEV instance creation process is very easy. For all other connects you have to consider the Secret Manager and release password or SSH key. We have 2022, and AWS creates still single instances. C’mon guys, we want to have multi-tenancy in place. To create a snapshot instead an RMAN backup is the well know method for RDS. I am still searching where to change the initial NLS characterset. According the AWS EBS documentation, storage is replicated inside the Availability Zone to prevent data loss. The storage is encrypted by  an user managed key. Good new from the database security front, DBSAT has no high risks found.