Amazon Relational Database Service Documentation

Amazon Relational Database Service (Amazon RDS) enables you to set up, operate, and scale a databases in the cloud.

Amazon RDS is a managed relational database service that provides you seven familiar database engines to choose from, including Amazon Aurora MySQL-Compatible Edition, Amazon Aurora PostgreSQL-Compatible Edition, MySQL, MariaDB, PostgresSQL, Oracle, and Microsoft SQL Server. This means that the code, applications, and tools you already use today with your existing databases can be used with Amazon RDS. Amazon RDS is designed to handle routine database tasks such as provisioning, patching, backup, recovery, failure detection, and repair.

Amazon RDS is designed to make it easier to use replication to enhance availability and reliability for production workloads. Using the Multi-AZ deployment option, you can run mission-critical workloads with high availability and built-in automated fail-over from your primary database to a synchronously replicated secondary database. Using Read Replicas, you can scale out beyond the capacity of a single database deployment for read-heavy database workloads.

You can use the AWS Management Console, the Amazon RDS Command Line Interface, or simple API calls to access the capabilities of a production-ready relational database in minutes.

Amazon RDS database instances are pre-configured with parameters and settings appropriate for the engine and class you have selected. You can launch a database instance and connect your application within minutes. DB Parameter Groups provide granular control and fine-tuning of your database.

Amazon RDS Blue/Green Deployments allow you to make safer, simpler, and faster database updates on Aurora MySQL-Compatible Edition, Amazon RDS for MySQL, and Amazon RDS for MariaDB. Blue/Green Deployments create a staging environment that mirrors the production environment and keeps the two environments in sync using logical replication. It is designed so you can make changes—such as major/minor version upgrades, schema modifications, and parameter setting changes—without impacting your production workload.

When promoting your staging environment, Blue/Green Deployments block writes to both the blue and green environments until switchover is complete. Blue/Green Deployments use built-in switchover guardrails that time out promotion if it exceeds your maximum tolerable downtime, detect replication errors, and check instance health. 

Amazon RDS is designed to make sure that the relational database software powering your deployment stays up-to-date with the latest patches. You can exert optional control over when and if your database instance is patched.

Amazon RDS is designed to provide best practice guidance by analyzing configuration and usage metrics from your database instances. Recommendations cover areas such as database engine versions, storage, instance types, and networking. You can browse the available recommendations and perform a recommended action immediately, schedule it for their next maintenance window, or dismiss it entirely.

Amazon RDS General Purpose Storage is an SSD-backed storage option that is designed to deliver a consistent baseline of 3 IOPS per provisioned GB and provides the ability to burst up above the baseline. This storage type is designed to be suitable for a broad range of database workloads.

Amazon RDS Provisioned IOPS Storage is an SSD-backed storage option that is designed to deliver fast, predictable, and consistent I/O performance. You specify an IOPS rate when creating a database instance, and Amazon RDS provisions that IOPS rate for the lifetime of the database instance. This storage type is optimized for I/O-intensive transactional (OLTP) database workloads. You can provision the number of IOPS per database instance, although your actual realized IOPS may vary based on your database workload, instance type, and database engine choice.

Amazon RDS Optimized Writes, built on top of the new AWS Nitro System Torn Write Prevention Feature, is designed to improve write transaction throughput by up to 2x in RDS for MySQL at no additional cost. Optimized Writes writes your 16KiB data pages in a single step.  

Amazon RDS Optimized Reads are designed to provide you with faster database performance with up to 2X faster query processing in Amazon RDS for MySQL and Amazon RDS for MariaDB at no additional cost. Optimized Reads help improve the speed of your complex queries that use temporary tables, such as queries that require sorts, hash aggregations, high-load joins, and Common Table Expressions (CTEs). Optimized Reads are designed to improve the speed of your queries by placing the temporary tables on your NVMe-based instance storage, which is physically connected to your host server.

You can scale the compute and memory resources powering your deployment up or down, up to a maximum of 32 vCPUs and 244 GiB of RAM. 

As your storage requirements grow, you can also provision additional storage. The Amazon Aurora engine will automatically grow the size of your database volume as your database storage needs grow, up to a maximum of 64 TB or a maximum you define. The MySQL, MariaDB, Oracle, and PostgreSQL engines allow you to scale up to 64 TB of storage and SQL Server supports up to 16 TB. Storage scaling is designed to be on-the-fly with zero downtime.

Read Replicas is designed to make it easier to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas are available in Amazon RDS for MySQL, MariaDB, PostgreSQL, and Oracle as well as Amazon Aurora.

The automated backup feature of Amazon RDS enables point-in-time recovery for your database instance. Amazon RDS will backup your database and transaction logs and store both for a user-specified retention period. This allows you to restore your database instance to any second during your retention period, up to the last five minutes. Your automatic backup retention period can be configured to up to thirty-five days.

Database snapshots are user-initiated backups of your instance stored in Amazon S3 that are kept until you explicitly delete them. You can create a new instance from a database snapshots whenever you desire. 

Amazon RDS Multi-AZ deployments are designed to provide enhanced availability and durability for database instances, making them a natural fit for production database workloads. When you provision a Multi-AZ database instance, Amazon RDS synchronously replicates your data to a standby instance in a different Availability Zone (AZ).

Amazon RDS is designed to automatically replace the compute instance powering your deployment in the event of a hardware failure.

Amazon RDS allows you to encrypt your databases using keys you manage through AWS Key Management Service (KMS). On a database instance running with Amazon RDS encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots.

Amazon RDS supports Transparent Data Encryption in SQL Server and Oracle. Transparent Data Encryption in Oracle is integrated with AWS CloudHSM, which is designed to allow you to securely generate, store, and manage your cryptographic keys in single-tenant Hardware Security Module (HSM) appliances within the AWS cloud.

Amazon RDS supports the use of SSL to secure data in transit.

AWS recommends that you run your database instances in Amazon VPC, which allows you isolate your database in your own virtual network and connect to your on-premises IT infrastructure using industry-standard encrypted IPsec VPNs. You can configure firewall settings and control network access to your database instances.

Amazon RDS is integrated with AWS Identity and Access Management (IAM) and is designed to provide you the ability to control the actions that your AWS IAM users and groups can take on specific Amazon RDS resources, from database instances through snapshots, parameter groups, and option groups. You can also tag your Amazon RDS resources and control the actions that your IAM users and groups can take on groups of resources that have the same tag and associated value. For example, you can configure your IAM rules to ensure developers are able to modify "Development" database instances, but only Database Administrators can make changes to "Production" database instances.

Amazon RDS provides Amazon CloudWatch metrics for your database instances. You can use the RDS Management Console to view key operational metrics, including compute/memory/storage capacity utilization, I/O activity, and instance connections. Amazon RDS also provides Enhanced Monitoring, which provides access to CPU, memory, file system, and disk I/O metrics, and Performance Insights, a tool that helps you detect performance problems.

Amazon RDS can notify you via email or SMS text message of database events through Amazon SNS. You can use the AWS Management Console or the Amazon RDS APIs to subscribe to different database events associated with your database instances.

Amazon RDS integrates with AWS Config and is designed to support compliance and enhance security by recording and auditing changes to the configuration of your DB instance including parameter groups, subnet groups, snapshots, security groups and event subscriptions.

With Amazon RDS for PostgreSQL, you can use pgvector, and open-source PostgreSQL extension, to simply perform similarity searches. You can also store embeddings from machine learning (ML) and artificial intelligence (AI) models in your database. Read our documentation on how to store embeddings and perform similarity searches on Amazon RDS for PostgreSQL.

Trusted Language Extensions (TLE) for PostgreSQL is a development kit and open-source project that is designed to allow you to quickly build high performance extensions and safely run them on Amazon Aurora and Amazon RDS without needing AWS to certify code. Developers can use popular trusted languages—like JavaScript, PL/pgSQL, Perl, and SQL—to write extensions. TLE is designed to prevent access to unsafe resources and limit extension defects to a single database connection. TLE is designed to give DBAs fine-grained, online control over who can install extensions, and they can create a permissions model for running them.

Amazon RDS and Amazon Aurora provide a set of features designed to ensure that your data is securely stored and accessed. You can run your database in Amazon Virtual Private Cloud (VPC) for network-level isolation. You can use security groups to control what IP addresses or Amazon EC2 instances can connect to your databases. This built-in firewall is designed to prevent any database access except through rules you specify.

You can use AWS Identity and Access Management (IAM) policies to assign permissions that determine who is allowed to manage RDS resources. You can use the security features of your database engine to control who can log in to the databases, just as you do if the database was on your local network. You can also map database users to IAM roles for federated access.

You can use Secure Socket Layer / Transport Layer Security (SSL/TLS) connections to encrypt data in transit. You can encrypt your database storage and backups at rest using Amazon Key Management Service (KMS). You can monitor database activity and integrate with partner database security applications with Database Activity Streams.

Amazon RDS is designed to encrypt your databases using keys you manage with the AWS Key Management Service (KMS). On a database instance running with Amazon RDS encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots. RDS encryption uses the AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS instance.

Amazon RDS also supports Transparent Data Encryption (TDE) for SQL Server (SQL Server Enterprise Edition) and Oracle (Oracle Advanced Security option in Oracle Enterprise Edition). With TDE, the database server automatically encrypts data before it is written to storage and automatically decrypts data when it is read from storage. Transparent Data Encryption in Oracle is integrated with AWS CloudHSM, which helps you to securely generate, store, and manage your cryptographic keys in single-tenant Hardware Security Module (HSM) appliances within the AWS cloud.

Amazon RDS is designed to provide best practice guidance by analyzing configuration and usage metrics from your database instances. Recommendations cover areas such as security, encryption, IAM and VPC. You can browse the available recommendations and perform a recommended action immediately, schedule it for their next maintenance window, or dismiss it entirely.

You can encrypt communications between your application and your DB Instance using SSL/TLS. Amazon RDS is designed to create an SSL certificate and installs the certificate on the DB instance when the instance is provisioned. For MySQL, you can launch the mysql client using the --ssl_ca parameter to reference the public key in order to encrypt connections. For SQL Server, you can download the public key and import the certificate into your Windows operating system. RDS for Oracle uses Oracle native network encryption with a DB instance. You can add the native network encryption option to an option group and associate that option group with the DB instance. Once an encrypted connection is established, the service is designed so that data transferred between the DB Instance and your application will be encrypted during transfer. You can also require your DB instance to only accept encrypted connections.

Amazon RDS is integrated with AWS Identity and Access Management (IAM) and is designed to provide you the ability to control the actions that your AWS IAM users and groups can take on specific resources (e.g., DB Instances, DB Snapshots, DB Parameter Groups, DB Event Subscriptions, DB Options Groups). In addition, you can tag your resources, and control the actions that your IAM users and groups can take on groups of resources that have the same tag (and tag value). 

You can also tag your Amazon RDS resources and control the actions that your IAM users and groups can take on groups of resources that have the same tag and associated value. For example, you can configure your IAM rules to ensure developers are able to modify "Development" database instances, but only Database Administrators can make changes to "Production" database instances.

When you first create a DB Instance within Amazon RDS, you will create a primary user account, which is used only within the context of Amazon RDS to control access to your DB Instance(s). The primary user account is a native database user account that allows you to log on to your DB Instance with all database privileges. You can specify the primary user name and password you want associated with each DB Instance when you create the DB Instance. Once you have created your DB Instance, you can connect to the database using the primary user credentials. Subsequently, you can create additional user accounts so that you can restrict who can access your DB Instance.

Using Amazon Virtual Private Cloud (VPC), you can isolate your DB Instances in your own virtual network, and connect to your existing IT infrastructure using encrypted IPSec VPN.

Amazon VPC is designed to enable you to isolate your DB Instances by specifying the IP range you wish to use, and connect to your existing IT infrastructure through encrypted IPsec VPN. Running Amazon RDS in a VPC enables you to have a DB instance within a private subnet. You can also set up a virtual private gateway that extends your corporate network into your VPC, and allows access to the RDS DB instance in that VPC. DB Instances deployed within an Amazon VPC can be accessed from the Internet or from Amazon EC2 Instances outside the VPC via VPN or bastion hosts that you can launch in your public subnet. To use a bastion host, you will need to set up a public subnet with an EC2 instance that acts as a SSH Bastion. This public subnet must have an Internet gateway and routing rules that allow traffic to be directed via the SSH host, which must then forward requests to the private IP address of your Amazon RDS DB instance. DB Security Groups can be used to help secure DB Instances within an Amazon VPC. In addition, network traffic entering and exiting each subnet can be allowed or denied via network ACLs. All network traffic entering or exiting your Amazon VPC via your IPsec VPN connection can be inspected by your on-premises security infrastructure, including network firewalls and intrusion detection systems.

Database Activity Streams, currently supported for Amazon Aurora and Amazon RDS for Oracle, is designed to provide a real-time data stream of the database activity in your relational database. When integrated with 3rd party database activity monitoring tools, you can monitor and audit database activity to provide safeguards for your database and meet compliance and regulatory requirements.

Database Activity Streams is designed to protect your database from internal threats by implementing a protection model that controls DBA access to the database activity stream, so that the collection, transmission, storage, and subsequent processing of the database activity stream is beyond the access of the DBAs that manage the database.

The stream is pushed to an Amazon Kinesis data stream that is created on behalf of your database. From Kinesis Data Firehose, the database activity stream can then be consumed by Amazon CloudWatch or by partner applications for compliance management. These partner applications can use the database activity stream information to generate alerts and provide auditing of all activity on your Amazon Aurora database.

Amazon RDS Performance Insights is a database performance tuning and monitoring feature that helps you assess the load on your database, and determine when and where to take action. Performance Insights is designed to allow non-experts to detect performance problems with an easy-to-understand dashboard that visualizes database load.

Performance Insights is designed to use lightweight data collection methods that don’t impact the performance of your applications, and makes it easier to see which SQL statements are causing the load, and why. It requires no configuration or maintenance, and is currently available for Amazon Aurora (PostgreSQL- and MySQL-compatible editions), Amazon RDS for PostgreSQL, MySQL, MariaDB, SQL Server and Oracle.

The Amazon Web Services API and SDK help to integrate Performance Insights into on-premises and third-party monitoring tools. If you need longer-term retention, you can choose to pay for up to two years of performance history retention.

Performance Insights is designed for both IT generalists and database experts. Instead of displaying multiple graphs that require manual correlation, it provides a simple interface that aggregates all core performance information into one chart.

When the load is high, you can identify the type of bottleneck such as high CPU consumption, lock waits or I/O latency, and see which SQL statements are creating the bottleneck.

Performance Insights is designed to help you monitor multiple database performance metrics without having to analyze numerous complex graphs. All the metrics are aggregated into one dashboard.

Whether your database performance problem is due to database configuration or application design issues, you can identify the bottleneck and see which SQL statements are contributing to it.

Performance Insights is designed to require no configuration or maintenance. You simply enable it on your RDS instance, and access it with one click in the RDS Management Console.

Performance Insights is designed to automatically collect all the necessary performance metrics and manages the resources needed to monitor your databases. Other than a lightweight data collection mechanism, all resources used for monitoring are separate from your database instance.

Amazon RDS Proxy is a managed, highly available database proxy for Amazon Relational Database Service (RDS) that is designed to make applications more scalable, more resilient to database failures, and more secure.

Many applications, including those built on modern serverless architectures, can have a large number of open connections to the database server, and may open and close database connections at a high rate, exhausting database memory and compute resources. Amazon RDS Proxy allows applications to pool and share connections established with the database, improving database efficiency and application scalability. With RDS Proxy, failover times for Aurora and RDS databases are reduced and database credentials, authentication, and access can be managed through integration with AWS Secrets Manager and AWS Identity and Access Management (IAM).

Your Amazon RDS Proxy instance maintains a pool of established connections to your RDS database instances, and is designed to reduce the stress on database compute and memory resources that typically occurs when new connections are established. RDS Proxy also shares infrequently used database connections, so that fewer connections access the RDS database. This connection pooling is designed to enable your database to efficiently support a large number and frequency of application connections so that your application can scale without compromising performance.

RDS Proxy helps minimize application disruption from outages affecting the availability of your database, by automatically connecting to a new database instance while preserving application connections. When failovers occur, RDS Proxy is designed to route requests directly to the new database instance. 

Amazon RDS Proxy is designed to give you additional control over data security by giving you the choice to enforce IAM authentication for database access and avoid hard coding database credentials into application code. RDS Proxy also enables you to centrally manage database credentials using AWS Secrets Manager.

A database proxy server helps handle additional load on your database. While traditional proxy servers allow applications to scale more effectively, they can be difficult to deploy, patch, and manage – consuming time and energy that could be better spent on developing great products. Amazon RDS Proxy is designed to give you the benefits of a database proxy without requiring additional burden of patching and managing your own proxy server. RDS Proxy is serverless and scales to accommodate your workload.

Amazon RDS Proxy is designed to be compatible with the protocols of supported database engines, so you can deploy RDS Proxy for your application without making changes to your application code. You can point your application connections to the proxy instead of the RDS database, and the rest is managed.

Amazon RDS Proxy is designed to be highly available and deployed over multiple Availability Zones (AZs) to protect you from infrastructure failure. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In the event of an infrastructure failure, the RDS Proxy is designed so that endpoint remains online and consistent allowing your application to continue to run database operations.

Amazon RDS Proxy sits between your application and your relational database to efficiently manage connections to the database and improve scalability of the application.

Amazon Relational Database Service (Amazon RDS) on AWS Outposts allows you to deploy managed database instances in your on-premises environments. AWS Outposts is a managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. You can deploy Amazon RDS on Outposts to set up, operate, and scale Microsoft SQL Server, MySQL and PostgreSQL relational databases on premises, just as you would in the cloud. Amazon RDS on Outposts provides cost-efficient and resizable capacity for on-premises databases, while automating time-consuming administration tasks including infrastructure provisioning, database setup, patching, and backups, freeing you to focus on your applications.

When you deploy Amazon RDS on Outposts, you can run RDS on premises for lower latency workloads that need to be run in close proximity to your on-premises data and applications. Amazon RDS on Outposts is also designed to enable automatic backup to an AWS Region. You can manage RDS databases both in the cloud and on premises using the same AWS Management Console, APIs, and CLI. Amazon RDS on Outposts supports Microsoft SQL Server, MySQL and PostgreSQL database engines.

Amazon RDS on Outposts is designed to enable you to provision and operate relational databases on premises, including for low latency workloads that need to remain close to on-premises data and applications. RDS on Outposts automates administrative functions for on-premises databases, including provisioning, operating system and database patching, backup, point-in-time restore, compute scaling, instance health monitoring, and failover.

Amazon RDS on Outposts is designed to scale compute and memory of your on-premises databases with just a few clicks in the console, using the command line interface (CLI), or API calls. When using RDS on Outposts, you can fine tune your database performance which provides actionable insights on database performance health.

Amazon RDS on Outposts is designed to monitor to detect unhealthy database instances and is designed to automatically recover them using the same storage volume, ensuring availability protection for your on-premises databases. RDS on Outposts allows you to automatically back up your on-premises databases, supports point-in-time restore, and offers automated backup retention periods per database. Amazon RDS Multi-AZ on AWS Outposts is designed to enhance availability by deploying a standby instance on a second Outpost and use synchronous replication technologies to keep data on your standby database instance up to date with the primary.

You can manage RDS databases both in the cloud and on Outposts using the same AWS Management Console, APIs, and CLI. You can manage a hybrid cloud database fleet with the unified RDS interface.

AWS Outposts lets you run Amazon RDS in your on-premises or co-location site. You can deploy and scale an RDS database instance in Outposts just as you do in the cloud, using the AWS console, APIs, or CLI. RDS databases in Outposts are encrypted at rest using AWS KMS keys. RDS is designed to automatically store all automatic backups and manual snapshots in the AWS Region.

Amazon RDS Read Replicas are designed to provide enhanced performance and durability for RDS database (DB) instances. They are designed to allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server as well as Amazon Aurora.

For the MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server database engines, Amazon RDS creates a second DB instance using a snapshot of the source DB instance. It then uses the engines' native asynchronous replication to update the read replica whenever there is a change to the source DB instance. The read replica is designed to operate as a DB instance that allows only read-only connections; applications can connect to a read replica just as they would to any DB instance. Amazon RDS is designed to replicate all databases in the source DB instance.

Amazon Aurora is designed to further extend the benefits of read replicas by employing an SSD-backed virtualized storage layer purpose-built for database workloads. Amazon Aurora replicas share the same underlying storage as the source instance, lowering costs and avoiding the need to copy data to the replica nodes. 

You can reduce the load on your source DB instance by routing read queries from your applications to the read replica. Read replicas are designed to allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. Because read replicas can be promoted to master status, they can be used as part of a sharding implementation.

Amazon RDS for MySQL allows you to add table indexes directly to Read Replicas, without those indexes being present on the master.

Read replicas in Amazon RDS for MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server can provide a complementary availability mechanism to Amazon RDS Multi-AZ Deployments. You can promote a read replica if the source DB instance fails, and you can set up a read replica with its own standby instance in different AZ. This functionality is designed to complement the synchronous replication, automatic failure detection, and failover provided with Multi-AZ deployments.

When you create a read replica for Amazon RDS for MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server, Amazon RDS is designed to set up a secure communications channel using public key encryption between the source DB instance and the read replica, even when replicating across regions. Amazon RDS is designed to establish AWS security configurations, such as adding security group entries, needed to enable the secure channel.

You can also create read replicas for your Amazon RDS for MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server database instances encrypted at rest with AWS Key Management Service (KMS).

Using the AWS Management Console, you can add read replicas to existing DB Instances. Use the "Create Read Replica" option corresponding to your DB Instance in the AWS Management Console. Amazon RDS for MySQL, MariaDB, and PostgreSQL is designed to allow you to add up to 15 read replicas to each DB Instance. Amazon RDS for Oracle and SQL Server is designed to allow you to add up to 5 read replicas to each DB Instance.

Amazon RDS for MySQL, MariaDB, PostgreSQL, and Oracle offer you two SSD-based choices for database storage: General Purpose and Provisioned IOPS. Read replicas for these engines need not use the same type of storage as their master DB Instances. You may be able to optimize your performance by selecting an alternate storage type for read replicas. 

Amazon RDS Multi-AZ deployments are designed to provide availability and durability for your Amazon RDS database (DB). With two different deployment options, you can customize your workloads for the availability you need.

You can support high availability for your application with database failover that is designed to complete quickly with no data loss and no manual intervention.

You can avoid suspending I/O activity on your primary during backup by backing up from your standby instance.

Amazon RDS Multi-AZ synchronous replication technologies are designed to keep data on your standby database instance up to date with the primary.

You can deploy a standby instance in a second AZ, and have redundancy in the event of an AZ or database instance failure.

Amazon RDS Multi-AZ is designed to failover quickly with no data loss and with no manual intervention.

You can route queries to write servers and appropriate read replica standby instances to achieve performance and scalability.  

You can achieve improved write latency compared to Multi-AZ with one standby.  

You can gain read scalability by distributing traffic across two readable standby instances.  

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.