|
|
|
|
|
|
by sakopov
1058 days ago
|
|
|
Doesn't matter. The database still is on a public subnet on customer's network. All it takes is for someone to jack up some kind of white list or access rule and the entire database is exposed. It's an attack vector. You can't do this nearly as easily when the database is in a private subnet w/ no access to internet. |
|
|
The top thing that comes to mind is creating a separate ‘read replica’ DB that logically replicates target table(s) from the source DB, creates a materialized view with a subset of the replicated data in the replica db, and then exposes only the materialized view to a specific 3rd party user.
That way you:
1) Run your primary db in a private subnet — addressing your concern with ip whitelisting
2) Run the replica in a public subnet with extremely limited access(ip-whitelisting and limited access controls to data).
This is definitely a more complex setup to reason about and creates more moving parts that can fall out of sync, but it does greatly decrease the blast radius of a breach, and for some orgs, that may be a worthwhile trade-off. In my opinion, the OP would probably benefit from some basic security walkthroughs on these different implementations to help engineering teams get onboarded/make a better case for their solution if they hit friction with legal or security teams.