Database security basics

Topic: Databases core

Harden database access: least-privilege users, network restriction, encryption in transit and at rest, and audit logging. Use this when deploying a new database or when reviewing security for an existing PostgreSQL or MySQL instance.

Intent: How-to

Quick answer

  • Users: create dedicated users per app with only required privileges (SELECT, INSERT, etc.). No shared root or superuser for apps. Store passwords in a secret manager; rotate on schedule or after compromise.
  • Network: bind to private IP; allow only app and admin networks in firewall. Use TLS for client connections (ssl=on in PostgreSQL; require_secure_transport in MySQL). Restrict pg_hba or user host to specific IPs.
  • Audit: enable query logging or audit plugin for sensitive DBs; log failed logins. Encrypt data at rest (disk or DB-level); patch regularly. Backup access restricted; backups encrypted.

Prerequisites

Steps

  1. Least privilege

    One user per application; grant only required privileges (e.g. SELECT, INSERT, UPDATE on specific tables). No SUPERUSER or ALL PRIVILEGES for app users. Use roles for groups if needed.

  2. Network and TLS

    Bind to internal IP; firewall allows only app and admin. Enable SSL: PostgreSQL ssl=on and certs; MySQL require_secure_transport=ON and certs. Restrict client IP in pg_hba or user host.

  3. Passwords and rotation

    Strong passwords; store in vault. Rotate on schedule; use rotation procedure that updates app and DB without downtime. Revoke and drop users when no longer needed.

  4. Audit and encrypt

    Enable audit or query log for sensitive data; log failed logins. Encrypt data at rest (LUKS, DB encryption, or cloud-managed). Patch OS and DB; restrict backup access.

Summary

Apply least privilege, network restriction, TLS, and password management; enable audit and encryption where required. Use this to harden database access and meet security requirements.

Prerequisites

Steps

Step 1: Least privilege

One user per app with minimal privileges; no superuser for apps.

Step 2: Network and TLS

Bind to private IP; allow only required clients; enable TLS for connections.

Step 3: Passwords and rotation

Strong passwords in a vault; rotate without downtime; revoke when users are offboarded.

Step 4: Audit and encrypt

Log access and failures; encrypt at rest; patch and restrict backup access.

Verification

  • Users have minimal privileges; only allowed IPs can connect; TLS is used; audit and encryption are in place.

Troubleshooting

App needs more privileges — Grant the specific privilege, not SUPERUSER. TLS errors — Verify certs and client support; check ssl_mode and require_secure_transport.

Next steps

Continue to