[bpicolo]

It does not take that much time or effort to set up useful subnet/vpc security in AWS. Put the database in your VPC, say only your application vpc can talk to it. Done.

Reasonably good security practices are not that much effort, and really it's a case for respecting your users for the most part.

The security trust game is starting to blow up. Yahoo just lost $250million dollars to it.

[g0del_was_wr0ng]

I think y0ghur7_xxx was talking about a usecase where you want to talk to the backend datastore from an application running outside of your datacenter in an untrusted environment (like an iOS/Android app, or a JS web frontend).

In this case, one can make the argument that a custom proxy layer, running in your DC (that proxies between the database and your actual frontend app) should not be necessary if the database offers sufficient per-connection ACLs and is secure.

That's a big if though.

[y0ghur7_xxx]

Sorry, when I said "if you can do without it", with "it" I meant the application access layer, not the vpc.