How can I expose an Amazon RDS database as read only to other partners who access through home broadband?

Question

In one of our projects we have hosted our web application on an Amazon Linux AMI instance and it relies on a Amazon RDS MySQL instance as DB server.

One of our client's developer wants to have access to the DB to query the tables and its contents. We do not want to provide an access with which he should be able to change any table contents (inadvertently). We are looking something like PHPMyadmin or SQLWorkbench access, but only in read-only mode.

Adding complexity he works from home and have a broadband with dynamic IP. Hence it seems we cannot grant IP based access as well.

As an alternate idea, we thought of replicating the database on to another server and grant full access to that replicated one so that we can be safe and satisfy the need. But this involves additional cost and the changes will not be replicated immediately.

Any ideas to expose the existing RDS as read-only will be a great advantage and is highly appreciated.

Answer 1

Presumably your connection is secured so only your office IP can access the database.

With that in mind a secure VPN tunnel that only directs out to the database area would provide security from them accessing any other systems

And from the database perspective his access rights should be secured down to read-only which will prevent him from modifying anything.

See http://dev.mysql.com/doc/mysql-security-excerpt/5.6/en/adding-users.html for more details on creating users, note the GRANT command, GRANT SELECT will allow them select access, so they cannot update, delete, insert or perform any other such actions.

See http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html for more details on RDS authentication if that is required

As for VPN that depends on the infrastructure you have setup, speak to your IT Admins about this