Manage the security of your Amazon RDS for Oracle databases with Oracle Data Safe

October 9, 2023 | 4 minute read
Bettina Schaeumer
Senior Principal Product Manager
Text Size 100%:

We’re excited to announce that Oracle Data Safe service now delivers essential security services for Oracle databases running in Amazon Relational Database Service (RDS). With the addition of RDS support, Data Safe can help secure all Oracle Database deployments in Oracle Cloud Infrastructure (OCI), Oracle Cloud@Customer, third-party clouds like Microsoft Azure and Amazon Web Services (AWS), and on-premises.

Data security is one of the top concerns for business leaders due to compliance and never-ending security breaches. The security teams tasked with managing security for the Oracle databases face many challenges, including disparate standalone tools and proliferating databases on multiple clouds and on-premises. As a result, those databases can be vulnerable to more straightforward attacks. Oracle Data Safe provides customers with a solution that helps secure all of their Oracle databases, irrespective of where they are, whether they’re enterprise or standard edition, or if they’re running any of the currently supported releases of Oracle Database.

Data Safe helps you evaluate security controls, assess user security, and monitor user activity. It helps you address data security compliance requirements for your database by discovering sensitive data and masking sensitive data for nonproduction purposes. You can use Data Safe to spot gaps in security configurations, identify dormant user accounts, understand what sensitive information they store in their databases, protect sensitive data in test and development environments, and address audit data collection, retention, and reporting requirements.

Oracle Data Safe now supports Oracle Enterprise Edition and Oracle Standard Edition Two on RDS databases. With Data Safe support for Oracle Standard Edition databases, you can now access advanced security features such as data masking, previously available only to Enterprise Edition customers, helping you keep you data secure wherever it resides.

Data Safe helps secure all your Oracle databases in one place, eliminating the need to have multiple consoles or manage multiple instances. Oracle Data Safe has an easy-to-use cloud-based interface that requires no installation or maintenance.

Connect to Oracle Data Safe quickly and easily

You have two options for connecting your Oracle RDS database running in AWS to Oracle Data Safe.

Use private endpoints

If you already set up network connectivity between your Amazon RDS for Oracle databases and your OCI virtual cloud network (VCN), you can leverage that connection to register your database through a Data Safe private endpoint. The private endpoint represents the Oracle Data Safe service in your OCI VCN with a private IP address. The private endpoint must be able to call from your OCI VCN into the AWS VPC subnet for your target database.

Install a light-weight connector in an EC2 instance

Another easy way to register your database is through the Data Safe on-premises connector. You can install this connector on a Linux host in your AWS environment. The connector then establishes an encrypted TLS tunnel to Oracle Data Safe. You only need to deploy one connector to support multiple Oracle databases in your AWS tenancy.  

You can create the Data Safe private endpoint or the Data Safe on-premises connector before registering your database with Data Safe, or you can create them during registration.

Register your database with Oracle Data Safe

When you’ve decided which connectivity option to use, registering your database with Data Safe is easy with a dedicated registration guide:

A screenshot of the options for registering databases with Data Safe.
Figure 1: Database registration guides

During registration, you must provide a database account for Data Safe to use to connect to your database. We provide a SQL script that you can run to grant the Data Safe user the necessary roles and privileges. Select which privileges to grant depending on which Data Safe features you want to use. You can learn more in the following resources:

Grant roles to the Oracle Data Safe service account on your target database

A screenshot of the Register Amazon RDS for Oracle screen in the Oracle Cloud Console.
Figure 2: Amazon RDS target registration wizard

Then, use the following steps:

  1. Provide your database's target information, including the service name, the IP address and port number, and the Data Safe service account credentials you created on your database.
  2. Connectivity option: Select whether you want to connect through a Data Safe private endpoint or a Data Safe on-premises connector. You can enter an existing private endpoint or connector you created previously or have one created.
  3. Security rules: When using a Data Safe private endpoint, you must allow outgoing communication from the private endpoint within the VCN. The process can create the necessary egress rule for you. You also need to allow incoming communication for your database on AWS.

You can find detailed step-by-step instructions in the Data Safe admin guide, Register an Amazon RDS for Oracle database.

Your target database is now ready for Data Safe. Get started by reviewing the security and user assessment reports automatically scheduled during the registration. You can find them in the Data Safe Security Center under Security Assessment and User Assessment.

A screenshot of the Security assessment page in the Security Center with the risk details expanded.
Figure 3: Security assessments in Data Safe

Take the next step

To learn more about Data Safe, view this short introductory video. For a hands-on tour, visit our Data Safe tutorials on Oracle LiveLabs. You can also try Data Safe with your own databases or an Oracle Autonomous Database 30-day free trial.

Bettina Schaeumer

Senior Principal Product Manager

Bettina Schaeumer is a Senior Principal Product Manager for Database Security, responsible for Oracle Data Safe. Bettina is based in the Bay Area, California. She has more than twenty years of experience in product and solution management, go-to-market strategies, sales operations, sales enablement, program management and consulting for major software companies. While covering a variety of solutions in enterprise software, business networks, business analytics, internet of things,
technology and database systems throughout her career, she is focusing on databases and database security in the past few years.

Previous Post

How to configure Oracle Database API for MongoDB for Autonomous Databases with private endpoint

Hermann Baer | 12 min read

Next Post

Enhanced Resource Usage Tracking in Oracle Autonomous Database on Dedicated Exadata Infrastructure and Cloud@Customer