Oracle considers cloud security its highest priority. The following security features help keep your data safe and secure.

• Database access control and account management

  MySQL provides security features to control access and manage your account. See Access Control and Account Management.

• Connection Control

  HeatWave on AWS supports a plugin library that enables Administrators to introduce an increasing delay in server response to connection attempts after a configurable number of consecutive failed attempts. This capability provides a deterrent that slows down brute force attacks against MySQL user accounts. The default connection control settings, which cannot be modified, are as follows:

  • connection_control_failed_connections_threshold

  • connection_control_max_connection_delay

  • connection_control_min_connection_delay

  See The Connection-Control Plugins.

• Encryption at rest

  Your data is always encrypted at rest. HeatWave on AWS uses Amazon EBS encryption. Boot volumes are encrypted on MySQL DB System and HeatWave nodes, and the database volume is encrypted on the MySQL DB System. For information about EBS encryption, see Amazon EBS Encryption, in the Amazon EC2 User Guide for Linux Instances.

• Encryption in transit

  Your data is always encrypted while in transit. HeatWave on AWS supports TLSv1.2 and requires that all MySQL client and application connections are encrypted. For added security, download a signed certificate bundle to enable host name identity verification for connecting clients and applications. For more information, see Enabling Host Name Identity Verification.

• MySQL Enterprise Data Masking and De-Identification

  Use data masking and de-identification to protect your sensitive data. HeatWave on AWS supports various MySQL data masking functions that mask data to remove identifying characteristics and generate random data with specific characteristics. The following data masking functions are supported:

  • gen_range()

  • gen_rnd_email()

  • gen_rnd_ssn()

  • gen_rnd_us_phone()

  • mask_inner()

  • mask_outer()

  • mask_pan()

  • mask_pan_relaxed()

  • mask_ssn()

  For more information, see MySQL Enterprise Data Masking and De-Identification.

• Password Validation

  HeatWave on AWS enforces strong passwords with the validate_password component, serves to improve security by requiring account passwords and enabling strength testing of potential passwords. The default value of the variables of the validate_password component are as follows, and you cannot change the default values:

  • validate_password.check_user_name

  • validate_password.length

  • validate_password.mixed_case_count

  • validate_password.number_count

  • validate_password.policy

  • validate_password.special_char_count

  Make sure your applications comply with the password requirements. For more information, see The Password Validation Component.

• MySQL Enterprise Firewall

  MySQL Enterprise Firewall enables database Administrators to permit or deny SQL statement execution based on matching against lists of accepted statement patterns. This helps harden MySQL against attacks such as SQL injection or attempts to exploit applications by using them outside of their legitimate query workload characteristics. For more information, see MySQL Enterprise Firewall.