Amazon RDS & Aurora
Exam focus: RDS appears in DVA-C02 mostly in connection management, security (IAM auth, encryption), and scaling scenarios. DynamoDB is tested far more, but know these RDS patterns.
RDS Key Featuresโ
| Feature | Description |
|---|---|
| Managed | AWS handles patching, backups, failover |
| Engines | MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, Db2 |
| Multi-AZ | Standby replica in another AZ โ automatic failover |
| Read Replicas | Up to 15 read replicas โ scale reads, cross-region possible |
| Automated backups | Daily snapshot + transaction logs โ point-in-time restore |
| Encryption | KMS at rest, TLS in transit |
Multi-AZ vs Read Replicasโ
| Feature | Multi-AZ | Read Replica |
|---|---|---|
| Purpose | High availability / DR | Read scalability |
| Sync | Synchronous replication | Asynchronous replication |
| Failover | โ Automatic (1โ2 min DNS update) | โ No automatic failover |
| Traffic | Standby not accessible | โ Can read from replica |
| Cross-region | โ Same region | โ Cross-region possible |
| Cost | 2ร instance cost | Additional instance |
"High availability" โ Multi-AZ "Scale read traffic" โ Read Replica "DR across regions" โ Cross-region Read Replica They serve different purposes โ you can use both simultaneously.
Auroraโ
Aurora is AWS's cloud-native relational database โ up to 5ร faster than MySQL, 3ร faster than PostgreSQL.
Aurora Architectureโ
Aurora Cluster Endpoint (writer)
โโโ Primary Instance (writer)
โโโ Aurora Replica 1 (reader) โโโ Reader Endpoint
โโโ Aurora Replica 2 (reader)
โโโ Aurora Replica 3 (reader)
Shared distributed storage (6 copies across 3 AZs, auto-replicates)
Storage auto-grows: 10GB โ up to 128TB
Aurora vs RDSโ
| Feature | Aurora | RDS |
|---|---|---|
| Storage | Auto-grows, 6 copies across 3 AZs | Fixed EBS, 2 copies in 1 AZ |
| Replicas | Up to 15 | Up to 15 |
| Failover | < 30 seconds | 1โ2 minutes |
| Backtrack | โ Rewind without restore | โ |
| Global Database | โ Cross-region < 1s replication | โ (only cross-region Read Replica) |
| Cost | ~20% more than RDS | Baseline |
Aurora Serverless v2โ
- Automatically scales compute up/down in fine-grained increments
- Capacity in ACUs (Aurora Capacity Units)
- Scale to zero (v1 only โ v2 has a minimum ACU)
- Perfect for variable/unpredictable workloads
RDS Proxyโ
Problem: Lambda functions create a new DB connection on every invocation โ connection pool exhaustion.
Without RDS Proxy:
Lambda (1000 concurrent) โ 1000 DB connections โ DB overwhelmed
With RDS Proxy:
Lambda (1000 concurrent) โ RDS Proxy (pool: 20-100 connections) โ DB
(multiplexes + queues connections)
Benefitsโ
- Connection pooling โ fewer DB connections
- IAM authentication passthrough
- Automatic failover routing (stays connected during Multi-AZ failover)
- Reduced Lambda cold start time (no connection re-establishment)
// Spring Boot with RDS Proxy โ same JDBC URL, just different endpoint
spring:
datasource:
url: jdbc:postgresql://my-proxy.proxy-xyz.us-east-1.rds.amazonaws.com:5432/mydb
username: ${RDS_USERNAME}
password: ${RDS_PASSWORD} # Or use IAM auth token
IAM Database Authenticationโ
Skip the password โ use an IAM auth token (15-minute TTL):
RdsUtilities rdsUtilities = RdsUtilities.builder()
.region(Region.US_EAST_1)
.build();
String authToken = rdsUtilities.generateAuthenticationToken(builder -> builder
.credentialsProvider(DefaultCredentialsProvider.create())
.hostname("mydb.xyz.us-east-1.rds.amazonaws.com")
.port(5432)
.username("iam_user"));
// Use authToken as the JDBC password โ valid for 15 minutes
Properties props = new Properties();
props.setProperty("user", "iam_user");
props.setProperty("password", authToken);
props.setProperty("ssl", "true");
Connection conn = DriverManager.getConnection(jdbcUrl, props);
Requirements: SSL must be enabled, IAM role needs rds-db:connect permission.
Encryptionโ
| State | Method |
|---|---|
| At rest | KMS CMK (set at creation time โ cannot change on live DB) |
| In transit | SSL/TLS (enforce via parameter group or connection string) |
| Encrypted snapshots | Can copy to another region + re-encrypt with different key |
You cannot encrypt an existing unencrypted RDS instance directly. Workaround: create encrypted snapshot โ restore to new encrypted instance.
Spring Boot Data Source Configurationโ
# application.yml
spring:
datasource:
url: jdbc:postgresql://${DB_HOST}:5432/${DB_NAME}
username: ${DB_USER}
password: ${DB_PASSWORD} # From Secrets Manager
hikari:
minimum-idle: 2
maximum-pool-size: 10
connection-timeout: 30000
jpa:
hibernate:
ddl-auto: validate # Never 'create' or 'update' in prod
show-sql: false
properties:
hibernate.dialect: org.hibernate.dialect.PostgreSQLDialect
Lambda functions are short-lived โ a pool size of 10 means each Lambda execution environment holds up to 10 connections. High concurrency leads to connection exhaustion. Use RDS Proxy to queue and multiplex connections. For general pool tuning rules, see Database Connection Pooling.
Parameter Groupsโ
Customize DB engine settings:
Parameter Group: my-postgres-params
max_connections = 100
shared_buffers = 256MB
log_min_duration_statement = 1000 # Log queries > 1s
๐งช Practice Questionsโ
Q1. A Lambda function connects to RDS PostgreSQL. Under high load (500 concurrent executions), the DB is getting too many connections errors. What is the MOST effective solution with the least code changes?
A) Increase RDS instance size
B) Use DynamoDB instead
C) Add an RDS Proxy between Lambda and RDS
D) Reduce Lambda concurrency to 50
โ Answer & Explanation
C โ RDS Proxy pools and multiplexes thousands of Lambda connections into a manageable number of actual DB connections. No code changes needed โ just update the connection string to the proxy endpoint.
Q2. A production RDS MySQL database needs to handle increased read traffic without affecting the writer. What should the developer provision?
A) Multi-AZ standby
B) A Read Replica and update app to route SELECTs to the replica endpoint
C) Increase DB instance size
D) Enable Aurora Serverless
โ Answer & Explanation
B โ Read Replicas serve read traffic. Multi-AZ standby is for failover only โ it doesn't serve traffic. The application must explicitly connect to the replica endpoint for reads (or Aurora reader endpoint handles this automatically).
Q3. A team needs to connect a Lambda function to RDS without storing database credentials anywhere. Which approach should they use?
A) Store credentials in Lambda environment variables
B) Store credentials in Secrets Manager and fetch at init time
C) IAM database authentication โ generate a temporary auth token at connection time
D) Use hardcoded credentials in the JAR
โ Answer & Explanation
C โ IAM database authentication generates a short-lived (15-minute) auth token from the Lambda's IAM role โ no passwords stored anywhere. Combine with RDS Proxy for connection pooling.
(B is also a valid and common approach, but C is "no credentials stored anywhere".)
Q4. A developer wants to encrypt an existing unencrypted RDS instance. What is the correct procedure?
A) Enable encryption in the RDS console settings
B) Create an encrypted Read Replica
C) Take a snapshot โ copy snapshot with encryption enabled โ restore to new instance
D) Run ALTER DATABASE ENCRYPT
โ Answer & Explanation
C โ You cannot encrypt a running RDS instance directly. The procedure is: create snapshot โ copy snapshot (enable encryption) โ restore from encrypted snapshot to a new instance โ update connection strings.