Database access control and account management

MySQL provides security features to control access and manage your account. See Access Control and Account Management.

Connection Control

MySQL HeatWave on AWS supports a plugin library that enables Administrators to introduce an increasing delay in server response to connection attempts after a configurable number of consecutive failed attempts. This capability provides a deterrent that slows down brute force attacks against MySQL user accounts. The default connection control settings, which cannot be modified, are as follows:

See The Connection-Control Plugins.

Encryption at rest

Your data is always encrypted at rest. MySQL HeatWave on AWS uses Amazon EBS encryption. Boot volumes are encrypted on MySQL DB System and HeatWave nodes, and the database volume is encrypted on the MySQL DB System. For information about EBS encryption, see Amazon EBS Encryption, in the Amazon EC2 User Guide for Linux Instances.

Encryption in transit

Your data is always encrypted while in transit. MySQL HeatWave on AWS supports TLSv1.2 and requires that all MySQL client and application connections are encrypted. For added security, download a signed certificate bundle to enable host name identity verification for connecting clients and applications. For more information, see Section 5.4, “Enabling Host Name Identity Verification”.

MySQL Enterprise Data Masking and De-Identification

Use data masking and de-identification to protect your sensitive data. MySQL HeatWave on AWS supports various MySQL data masking functions that mask data to remove identifying characteristics and generate random data with specific characteristics. The following data masking functions are supported:

For more information, see MySQL Enterprise Data Masking and De-Identification.

Password Validation

MySQL HeatWave on AWS enforces strong passwords with the validate_password component, serves to improve security by requiring account passwords and enabling strength testing of potential passwords. The default value of the variables of the validate_password component are as follows, and you cannot change the default values:

Make sure your applications comply with the password requirements. For more information, see The Password Validation Component.

MySQL Enterprise Firewall

MySQL Enterprise Firewall enables database Administrators to permit or deny SQL statement execution based on matching against lists of accepted statement patterns. This helps harden MySQL against attacks such as SQL injection or attempts to exploit applications by using them outside of their legitimate query workload characteristics. For more information, see MySQL Enterprise Firewall.