Amazon Relational Database Service User Guide API Version 2014-10-31

Amazon Relational Database Service User Guide API Version 2014-10-31

Amazon Relational Database

Service

User Guide

API Version 2014-10-31

Amazon Relational Database Service User Guide

Amazon Relational Database Service: User Guide

Copyright © 2016 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by

Amazon.

Amazon Relational Database Service User Guide

Table of Contents

What Is Amazon RDS? ................................................................................................................... 1

Amazon RDS Components ..................................................................................................... 2

DB Instances ................................................................................................................ 2

Regions and Availability Zones ........................................................................................ 3

Security Groups ............................................................................................................ 3

DB Parameter Groups .................................................................................................... 3

DB Option Groups ......................................................................................................... 3

Available RDS Interfaces ........................................................................................................ 3

Amazon RDS Console ................................................................................................... 4

Command Line Interface ................................................................................................. 4

Programmatic Interfaces ................................................................................................. 4

How You Are Charged for Amazon RDS .................................................................................... 5

Monitoring an Amazon RDS DB Instance ................................................................................... 5

What's Next? ........................................................................................................................ 5

Getting Started ............................................................................................................. 5

Database Engine Specific Topics ...................................................................................... 6

Setting Up .................................................................................................................................... 7

Sign Up for AWS ................................................................................................................... 7

Create an IAM User ............................................................................................................... 8

Determine Requirements ........................................................................................................ 9

Provide Access to the DB Instance in the VPC by Creating a Security Group ................................. 10

Getting Started ............................................................................................................................ 12

Creating a MySQL DB Instance and Connecting to a Database ................................................... 12

Creating a MySQL DB Instance ...................................................................................... 13

Connecting to a Database on a DB Instance Running MySQL ............................................. 18

Deleting a DB Instance ................................................................................................. 18

Creating an Oracle DB Instance and Connecting to a Database ................................................... 19

Creating a DB Instance Running Oracle ........................................................................... 19

Connecting to a DB Instance Running Oracle ................................................................... 24

Deleting a DB Instance ................................................................................................. 26

Creating a SQL Server DB Instance and Connecting to a Database .............................................. 26

Creating a SQL Server DB Instance ................................................................................ 26

Connecting to a SQL Server DB Instance Using SQL Server Management Studio ................... 33

Troubleshooting a Connection to a DB Instance Running SQL Server ................................... 37

Deleting a DB Instance ................................................................................................. 38

Creating a PostgreSQL DB Instance and Connecting to a Database ............................................. 38

Creating a PostgreSQL DB Instance ............................................................................... 38

Connecting to a PostgreSQL DB Instance ........................................................................ 44

Deleting a DB Instance ................................................................................................. 47

Creating a DB Cluster and Connecting to a Database on an Amazon Aurora DB Instance ................ 48

Create a DB Cluster ..................................................................................................... 48

Connect to an Instance in a DB Cluster ........................................................................... 52

Delete the Sample DB Cluster, DB Subnet Group, and VPC ................................................ 53

Creating a MariaDB DB Instance and Connecting to a Database .................................................. 53

Creating a MariaDB Instance ......................................................................................... 54

Connecting to a Database on a DB Instance Running MariaDB ........................................... 59

Deleting a DB Instance ................................................................................................. 59

Tutorials ..................................................................................................................................... 61

Restore a DB Instance from a DB Snapshot ............................................................................. 61

Prerequisites for Restoring a DB Instance from a DB Snapshot ............................................ 62

Steps for Restoring a DB Instance from a DB Snapshot ...................................................... 63

Create an Amazon VPC for Use with an Amazon RDS DB Instance .............................................. 67

Create a VPC with Private and Public Subnets .................................................................. 68

Create a VPC Security Group for a Public Web Server ....................................................... 72

Create a VPC Security Group for a Private Amazon RDS DB Instance .................................. 74

API Version 2014-10-31 iii

Amazon Relational Database Service User Guide

Related Topics ............................................................................................................ 76

Create a Web Server and an Amazon RDS Database ................................................................ 76

Step 1: Create a DB Instance ......................................................................................... 76

Step 2: Create a Web Server ......................................................................................... 80

Best Practices ............................................................................................................................. 94

Amazon RDS Basic Operational Guidelines ............................................................................. 94

DB Instance RAM Recommendations ...................................................................................... 95

Amazon RDS Security Best Practices ..................................................................................... 95

Using Metrics to Identify Performance Issues ............................................................................ 95

Viewing Performance Metrics ......................................................................................... 96

Evaluating Performance Metrics ..................................................................................... 97

Tuning Queries ........................................................................................................... 99

Best Practices for Working with MySQL Storage Engines ............................................................ 99

Best Practices for Working with MariaDB Storage Engines ........................................................ 100

Best Practices for Working with PostgreSQL ........................................................................... 100

Loading Data into a PostgreSQL DB Instance ................................................................. 100

Working with the fsync and full_page_writes database parameters ..................................... 101

Working with the PostgreSQL Autovacuum Feature .......................................................... 101

Best Practices for Working with SQL Server ............................................................................ 102

Amazon RDS SQL Server Best Practices Video .............................................................. 102

Amazon RDS Best Practices Presentation Video ..................................................................... 102

DB Instances ............................................................................................................................ 103

DB Instance Class ............................................................................................................. 104

Current Generation DB Instance Classes ....................................................................... 104

Previous Generation DB Instance Classes ...................................................................... 107

Specifications for All Available DB Instance Classes ......................................................... 108

DB Instance Status ............................................................................................................ 109

Regions and Availability Zones ............................................................................................. 111

Related Topics ........................................................................................................... 112

High Availability (Multi-AZ) ................................................................................................... 112

Failover Process for Amazon RDS ................................................................................ 114

Amazon RDS and Amazon VPC ........................................................................................... 114

DB Instance Backups ......................................................................................................... 115

Automated Backup ..................................................................................................... 115

DB Snapshots ........................................................................................................... 118

Related Topics ........................................................................................................... 118

DB Instance Replication ...................................................................................................... 118

Storage .................................................................................................................................... 120

Storage Types ................................................................................................................... 120

Performance Metrics ........................................................................................................... 121

Facts About Amazon RDS Storage ........................................................................................ 121

Other Factors That Impact Storage Performance ............................................................. 122

Adding Storage and Changing Storage Type ................................................................... 123

General Purpose (SSD) Storage ........................................................................................... 123

I/O Credits and Burst Performance ................................................................................ 123

Provisioned IOPS Storage ................................................................................................... 125

Using Provisioned IOPS Storage with Multi-AZ, Read Replicas, Snapshots, VPC, and DB

Instance Classes ....................................................................................................... 126

Provisioned IOPS Storage Costs .................................................................................. 126

Getting the Most out of Amazon RDS Provisioned IOPS ................................................... 127

Provisioned IOPS Storage Support in the AWS CLI and Amazon RDS API .......................... 127

Factors That Affect Realized IOPS Rates ............................................................................... 128

Page Size and Channel Bandwidth ............................................................................... 128

DB Instance Classes for Provisioned IOPS ..................................................................... 128

Database Workload .................................................................................................... 129

Security .................................................................................................................................... 130

Authentication and Access Control ........................................................................................ 131

Authentication ........................................................................................................... 131

API Version 2014-10-31 iv

Amazon Relational Database Service User Guide

Access Control .......................................................................................................... 132

Overview of Managing Access ..................................................................................... 132

Using Identity-Based Policies (IAM Policies) .................................................................... 135

Amazon RDS API Permissions Reference ...................................................................... 139

Using Conditions ........................................................................................................ 139

Encrypting Amazon RDS Resources ..................................................................................... 145

Enabling Amazon RDS Encryption for a DB Instance ........................................................ 145

Availability of Amazon RDS Encrypted Instances ............................................................. 146

Managing Amazon RDS Encryption Keys ....................................................................... 147

Limitations of Amazon RDS Encrypted Instances ............................................................. 147

Using SSL to Encrypt a Connection ....................................................................................... 148

Intermediate certificates .............................................................................................. 148

Amazon RDS Security Groups ............................................................................................. 149

DB Security Groups .................................................................................................... 149

VPC Security Groups ................................................................................................. 149

DB Security Groups vs. VPC Security Groups ................................................................. 150

Security Group Scenario ............................................................................................. 150

Delete DB VPC security groups .................................................................................... 151

Master User Account Privileges ............................................................................................ 153

Related Topics ................................................................................................................... 154

Using Amazon RDS with Amazon VPC .......................................................................................... 155

Determining Whether You Are Using the EC2-VPC or EC2-Classic Platform ................................. 155

Related Topics ................................................................................................................... 157

Scenarios for Accessing a DB Instance in a VPC ..................................................................... 157

An EC2 Instance in the Same VPC ............................................................................... 157

An EC2 Instance in a Different VPC ............................................................................... 159

An EC2 Instance Not in a VPC ..................................................................................... 160

A Client Application Through the Internet ........................................................................ 161

An EC2 Instance in a VPC ........................................................................................... 161

An EC2 Instance Not in a VPC ..................................................................................... 162

A Client Application Through the Internet ........................................................................ 163

Working with a DB Instance in a VPC .................................................................................... 164

Working with a DB Instance in a VPC ............................................................................ 165

Working with DB Subnet Groups ................................................................................... 165

Hiding a DB Instance in a VPC from the Internet .............................................................. 166

Creating a DB Instance in a VPC .................................................................................. 167

Moving a DB Instance Not in a VPC into a VPC ............................................................... 169

Limits ....................................................................................................................................... 170

Limits in Amazon RDS ........................................................................................................ 170

Naming Constraints in Amazon RDS ..................................................................................... 171

File Size Limits in Amazon RDS ........................................................................................... 173

Aurora File Size Limits in Amazon RDS .......................................................................... 173

MySQL File Size Limits in Amazon RDS ........................................................................ 173

MySQL on Amazon RDS ............................................................................................................. 175

MySQL Planning Information ............................................................................................... 176

MySQL Versions ........................................................................................................ 176

Amazon RDS Supported Storage Engines ...................................................................... 178

Amazon RDS and MySQL Security ............................................................................... 179

Local Time Zone for MySQL DB Instances ..................................................................... 180

InnoDB Cache Warming .............................................................................................. 182

MySQL Features Not Supported By Amazon RDS ........................................................... 183

Known Issues and Limitations ...................................................................................... 183

Creating a DB Instance Running MySQL ................................................................................ 188

AWS Management Console ......................................................................................... 188

CLI .......................................................................................................................... 194

API .......................................................................................................................... 195

Related Topics ........................................................................................................... 196

Connecting to a DB Instance Running MySQL ........................................................................ 197

API Version 2014-10-31 v

Amazon Relational Database Service User Guide

Connecting from the MySQL Utility ................................................................................ 197

Connecting with SSL .................................................................................................. 198

Maximum MySQL connections ..................................................................................... 199

Related Topics ........................................................................................................... 199

Modifying a DB Instance Running MySQL .............................................................................. 200

AWS Management Console ......................................................................................... 200

CLI .......................................................................................................................... 202

API .......................................................................................................................... 203

Importing and Exporting Data From a MySQL DB Instance ....................................................... 205

Overview .................................................................................................................. 205

Importing Data Considerations ..................................................................................... 205

Importing Data from a MySQL or MariaDB DB to an Amazon RDS MySQL or MariaDB DB

Instance ................................................................................................................... 208

Importing Data to an Amazon RDS MySQL or MariaDB DB Instance with Reduced

Downtime ................................................................................................................. 210

Importing Data From Any Source to a MySQL or MariaDB DB Instance ............................... 222

Replication with a MySQL or MariaDB Instance Running External to Amazon RDS ............... 227

Using Replication to Export MySQL Data ....................................................................... 229

Appendix: Common DBA Tasks for MySQL ............................................................................. 233

Killing a Session or Query ........................................................................................... 233

Skipping the Current Replication Error ........................................................................... 233

Working with InnoDB Tablespaces to Improve Crash Recovery Times ................................. 234

Managing the Global Status History .............................................................................. 235

Appendix: Options for MySQL .............................................................................................. 237

MySQL memcached Support ....................................................................................... 237

MariaDB Audit Plugin Support ...................................................................................... 240

Appendix: MySQL on Amazon RDS SQL Reference ................................................................. 243

Overview .................................................................................................................. 243

SQL reference conventions .......................................................................................... 244 mysql.rds_set_external_master .................................................................................... 244

mysql.rds_reset_external_master ................................................................................. 246 mysql.rds_start_replication .......................................................................................... 246

mysql.rds_stop_replication .......................................................................................... 247

mysql.rds_skip_repl_error ........................................................................................... 248 mysql.rds_next_master_log ......................................................................................... 248

mysql.rds_innodb_buffer_pool_dump_now ..................................................................... 250

mysql.rds_innodb_buffer_pool_load_now ....................................................................... 251 mysql.rds_innodb_buffer_pool_load_abort ..................................................................... 251

mysql.rds_set_configuration ......................................................................................... 252

mysql.rds_show_configuration ...................................................................................... 253 mysql.rds_kill ............................................................................................................ 253

mysql.rds_kill_query ................................................................................................... 254

mysql.rds_rotate_general_log ...................................................................................... 255 mysql.rds_rotate_slow_log .......................................................................................... 255

mysql.rds_enable_gsh_collector ................................................................................... 256 mysql.rds_set_gsh_collector ........................................................................................ 256

mysql.rds_disable_gsh_collector .................................................................................. 257 mysql.rds_collect_global_status_history ......................................................................... 257

mysql.rds_enable_gsh_rotation .................................................................................... 258 mysql.rds_set_gsh_rotation ......................................................................................... 258

mysql.rds_disable_gsh_rotation .................................................................................... 259 mysql.rds_rotate_global_status_history ......................................................................... 259

Oracle on Amazon RDS .............................................................................................................. 260

Planning Your Amazon RDS Oracle DB Instance ..................................................................... 261

DB Instances Class Restrictions for Oracle Databases ..................................................... 262

Oracle Database Engine Options .................................................................................. 262

Security .................................................................................................................... 269

Using SSL with an Oracle DB Instance .......................................................................... 269

API Version 2014-10-31 vi

Amazon Relational Database Service User Guide

Oracle Version Management ........................................................................................ 270

Licensing .................................................................................................................. 270

Using OEM, APEX, TDE, and other options .................................................................... 271

Creating a DB Instance Running Oracle ................................................................................. 272

AWS Management Console ......................................................................................... 272

CLI .......................................................................................................................... 277

API .......................................................................................................................... 278

Related Topics ........................................................................................................... 279

Connecting to a DB Instance Running Oracle .......................................................................... 280

Console ................................................................................................................... 280

CLI .......................................................................................................................... 282

Related Topics ........................................................................................................... 282

Modifying a DB Instance Running Oracle ............................................................................... 283

AWS Management Console ......................................................................................... 283

CLI .......................................................................................................................... 285

API .......................................................................................................................... 286

Importing Data Into Oracle on Amazon RDS ........................................................................... 288

Oracle SQL Developer ................................................................................................ 288

Oracle Data Pump ..................................................................................................... 288

Oracle Export/Import Utilities ....................................................................................... 291

Oracle SQL*Loader .................................................................................................... 292

Oracle Materialized Views ........................................................................................... 293

Appendix: Options for Oracle ................................................................................................ 295

Oracle 11g Enterprise Manager (OEM) Database Control and Oracle 12c OEM Database

Express .................................................................................................................... 295

Oracle XML DB ......................................................................................................... 296

Oracle Application Express (APEX) ............................................................................... 296

Oracle Native Network Encryption ................................................................................. 302

Oracle Transparent Data Encryption (TDE) ..................................................................... 303

Oracle Statspack ....................................................................................................... 305

Oracle Time Zone ...................................................................................................... 307

Oracle SSL ............................................................................................................... 308

Appendix: Common DBA Tasks for Oracle .............................................................................. 314

Enabling and disabling Restricted Session ..................................................................... 315

Flushing the Shared Pool ............................................................................................ 315

Flushing the Buffer Cache ........................................................................................... 315

Disconnecting a Session (for version 11.2.0.3.v1 and later) ............................................... 316

Killing a Session ........................................................................................................ 316

Renaming the Global Name (for version 11.2.0.3.v1 and later) ........................................... 316

Granting Privileges to Non-Master Users ........................................................................ 317

Modifying DBMS_SCHEDULER Jobs ............................................................................ 317

Switching Online Log files ............................................................................................ 317

Adding, Dropping and Resizing Online Redo Logs ........................................................... 318

Setting Force Logging (for version 11.2.0.3.v1 and later) ................................................... 320

Retaining Archived Redo Logs (for version 11.2.0.2.v7 and later) ....................................... 321

Setting Supplemental Logging (for version 11.2.0.3.v1 and later) ........................................ 321

Creating and Resizing Tablespaces and Data Files .......................................................... 321

Setting Default Tablespace ........................................................................................... 322

Setting Default Temporary Tablespace ........................................................................... 322

Checkpointing the Database ........................................................................................ 322

Setting Distributed Recovery (for version 11.2.0.3.v1 and later) ......................................... 322

Granting SELECT or EXECUTE privileges to SYS Objects (for version 11.2.0.3.v1 and later)

................................................................................................................................ 323

Setting the Database Time Zone ................................................................................... 323

Working with Automatic Workload Repository (AWR) ........................................................ 324

Adjusting Database Links for Use with DB Instances in a VPC ........................................... 324

Creating New Directories in the Main Data Storage Space (for version 11.2.0.4.v1 and later) ........................................................................................................................ 324

API Version 2014-10-31 vii

Amazon Relational Database Service User Guide

Listing and Reading Files in a DB Instance Directory (for version 11.2.0.3.v1 and later) .......... 325

Appendix: Using Oracle GoldenGate with Amazon RDS ............................................................ 326

Setting Up an Oracle GoldenGate Hub on EC2 ............................................................... 329

Setting Up a Source Database for Use with GoldenGate on Amazon RDS ........................... 331

Setting Up a Target Database for Use with GoldenGate on Amazon RDS ............................. 335

Working with Oracle GoldenGate's Extract and Replicat Utilities ......................................... 337

Troubleshooting Issues When Using Oracle GoldenGate with Amazon RDS ......................... 340

Appendix: Using AWS CloudHSM to Store Amazon RDS Oracle TDE Keys .................................. 342

Setting Up AWS CloudHSM to Work with Amazon RDS .................................................... 343

Setting Up Amazon RDS to Work with AWS CloudHSM .................................................... 347

Verifying the HSM Connection, the Oracle Keys in the HSM, and the TDE Key ...................... 355

Restoring Encrypted DB Instances ................................................................................ 356

Managing a Multi-AZ Failover ....................................................................................... 357

Appendix: Oracle Character Sets Supported in Amazon RDS .................................................... 358

Appendix: Oracle Database Engine Release Notes .................................................................. 360

Database Engine Version: 11.2.0.2.v3 ........................................................................... 361

Database Engine Version: 11.2.0.2.v4 or 11.2.0.2.v5 ........................................................ 362

Database Engine Version: 11.2.0.2.v6 ........................................................................... 362

Database Engine Version: 11.2.0.2.v7 ........................................................................... 363

Database Engine Version: 11.2.0.3.v1 ............................................................................ 365

Database Engine Version: 11.2.0.3.v2 ............................................................................ 366

Database Engine Version: 11.2.0.3.v3 ............................................................................ 367

Database Engine Version: 11.2.0.3.v4 ............................................................................ 369

Database Engine Version: 11.2.0.4.v1 ............................................................................ 370

Database Engine Version: 11.2.0.4.v2 (Deprecated) ......................................................... 370

Database Engine Version: 11.2.0.4.v3 ............................................................................ 371

Database Engine Version: 11.2.0.4.v4 ............................................................................ 372

Database Engine Version: 11.2.0.4.v5 ............................................................................ 373

Database Engine Version: 11.2.0.4.v6 ............................................................................ 374

Database Engine Version: 11.2.0.4.v7 ............................................................................ 374

Database Engine Version: 12.1.0.1.v1 ............................................................................ 376

Database Engine Version: 12.1.0.1.v2 ............................................................................ 377

Database Engine Version: 12.1.0.1.v3 ............................................................................ 378

Database Engine Version: 12.1.0.1.v4 ............................................................................ 379

Database Engine Version: 12.1.0.2.v1 ............................................................................ 380

Database Engine Version: 12.1.0.2.v2 ............................................................................ 381

Database Engine Version: 12.1.0.2.v3 ............................................................................ 381

Microsoft SQL Server on Amazon RDS .......................................................................................... 383

Common Management Tasks for SQL Server on Amazon RDS .................................................. 383

Limits for SQL Server DB Instances ...................................................................................... 384

SQL Server 2014 Support ................................................................................................... 385

Upgrading to SQL Server 2014 on Amazon RDS ............................................................. 386

Upgrading a Mirroring (Multi-AZ) DB Instance ................................................................. 386

SQL Server 2012 Support on Amazon RDS ............................................................................ 386

SQL Server 2008 R2 Support on Amazon RDS ....................................................................... 388

SQL Server Licensing ......................................................................................................... 388

License Included ........................................................................................................ 389

Bring Your Own License (BYOL) ................................................................................... 389

Licensing for SQL Server 2012 ..................................................................................... 389

Licensing for SQL Server 2014 ..................................................................................... 390

Multi-AZ Deployments Using SQL Server Mirroring .................................................................. 390

SQL Server Multi-AZ Deployment Recommendations ....................................................... 391

Video Introduction to SQL Server Multi-AZ Deployments ................................................... 393

Database Engine Version Management .................................................................................. 393

Upgrading from 2008 R2 to 2012 .................................................................................. 393

Upgrading to SQL Server 2014 on Amazon RDS ............................................................. 393

Upgrading a Mirroring (Multi-AZ) DB Instasnce ................................................................ 394

SQL Server Roles and Permissions ....................................................................................... 394

API Version 2014-10-31 viii

Amazon Relational Database Service User Guide

Using SSL with a SQL Server DB Instance ............................................................................. 395

Using the TDE Option to Encrypt Data at Rest ........................................................................ 396

Using Windows Authentication with an Amazon RDS for SQL Server DB Instance ......................... 397

Creating the Endpoint for Kerberos Authentication ........................................................... 397

Setting Up Windows Authentication for SQL Server DB Instances ....................................... 398

Managing a DB Instance in a Domain ............................................................................ 402

Connecting to SQL Server with Windows Authentication ................................................... 403

Restoring a SQL Server DB Instance and then Adding It to a Domain ................................. 404

Related Topics ........................................................................................................... 404

Creating a DB Instance Running SQL Server .......................................................................... 405

AWS Management Console ......................................................................................... 405

CLI .......................................................................................................................... 412

API .......................................................................................................................... 413

Related Topics ........................................................................................................... 414

Connecting to a DB Instance Running SQL Server .................................................................. 415

Connecting with SQL Server Management Studio ............................................................ 415

Connecting with SQL Workbench/J ............................................................................... 418

Troubleshooting a Connection to a DB Instance Running SQL Server .................................. 420

Related Topics ........................................................................................................... 421

Modifying a DB Instance Running SQL Server ........................................................................ 422

AWS Management Console ......................................................................................... 422

CLI .......................................................................................................................... 425

API .......................................................................................................................... 425

Working with SQL Server Multi-AZ with Mirroring ..................................................................... 427

Determining the Location of the Standby Mirror ............................................................... 427

Related Topics ........................................................................................................... 428

Importing and Exporting SQL Server Data .............................................................................. 429

Importing Data into SQL Server on Amazon RDS ............................................................ 429

Exporting Data from SQL Server on Amazon RDS ........................................................... 435

Appendix: Common DBA Tasks for SQL Server ....................................................................... 438

Determining a Recovery Model ..................................................................................... 438

Collations and Character Sets for SQL Server ................................................................. 438

Resetting the db_owner

Role Password ........................................................................ 439

Transitioning a Database from OFFLINE to ONLINE ......................................................... 439

Dropping a Database in a Multi-AZ Deployment Using Mirroring ......................................... 439

Analyzing Your Database Workload on a DB Instance Using SQL Server Tuning Advisor ........ 439

Using SQL Server Agent ............................................................................................. 442

Working with SQL Server Logs ..................................................................................... 443

Handling UTC Times for Time Zone Awareness ............................................................... 444

Renaming a Database on a DB Instance in a SQL Server Multi-AZ with Mirroring

Deployment .............................................................................................................. 445

Appendix: Options for SQL Server ......................................................................................... 446

SQL Server Transparent Data Encryption ....................................................................... 446

Multi-AZ Deployment for SQL Server Using the Mirroring Option ........................................ 448

PostgreSQL on Amazon RDS ....................................................................................................... 451

Amazon RDS PostgreSQL Planning Information ...................................................................... 452

Supported PostgreSQL Database Versions ..................................................................... 453

Database Engine Features .......................................................................................... 458

Limits for PostgreSQL DB Instances .............................................................................. 460

Database Version Upgrades ......................................................................................... 460

Using SSL with a PostgreSQL DB Instance .................................................................... 461

Creating a DB Instance Running PostgreSQL ......................................................................... 464

AWS Management Console ......................................................................................... 464

CLI .......................................................................................................................... 469

API .......................................................................................................................... 469

Related Topics ........................................................................................................... 470

Connecting to a DB Instance Running the PostgreSQL Database Engine ..................................... 471

Using pgAdmin to Connect to a PostgreSQL DB Instance ................................................. 471

API Version 2014-10-31 ix

Amazon Relational Database Service User Guide

Using psql to Connect to a PostgreSQL DB Instance ........................................................ 473

Troubleshooting Connection Issues ............................................................................... 474

Related Topics ........................................................................................................... 474

Modifying a DB Instance Running PostgreSQL ........................................................................ 475

AWS Management Console ......................................................................................... 475

CLI .......................................................................................................................... 477

API .......................................................................................................................... 478

Importing Data into PostgreSQL on Amazon RDS .................................................................... 480

Importing a PostgreSQL Database from an Amazon EC2 Instance ..................................... 480

Using the

\copy

Command to Import Data to a Table on a PostgreSQL DB Instance ............. 482

Appendix: Common DBA Tasks for PostgreSQL ....................................................................... 483

Creating Roles .......................................................................................................... 483

Managing PostgreSQL Database Access ....................................................................... 483

Working with PostgreSQL Parameters ........................................................................... 484

Setting up PostGIS ..................................................................................................... 492

Using pgBadger for Log Analysis with PostgreSQL .......................................................... 494

Aurora on Amazon RDS .............................................................................................................. 495

Availability ........................................................................................................................ 496

Aurora Endpoints ............................................................................................................... 496

Amazon Aurora Storage ...................................................................................................... 497

Amazon Aurora Replication .................................................................................................. 497

Amazon Aurora Reliability .................................................................................................... 498

Storage Auto-Repair ................................................................................................... 498

"Survivable" Cache Warming ........................................................................................ 498

Crash Recovery ......................................................................................................... 498

Aurora Performance Enhancements ...................................................................................... 498

Fast Insert ................................................................................................................ 498

Amazon RDS for Aurora Security .......................................................................................... 499

Securing Aurora Data with SSL .................................................................................... 500

Local Time Zone for Amazon Aurora DB Clusters .................................................................... 501

Comparison of Amazon RDS for Aurora and Amazon RDS for MySQL ........................................ 504

Creating an Amazon Aurora DB Cluster ................................................................................. 505

DB Cluster Prerequisites ............................................................................................. 505

Using the AWS Management Console to Launch an Aurora DB Cluster and Create an Aurora

Replica .................................................................................................................... 506

Creating a VPC for Aurora ........................................................................................... 515

Connecting to an Amazon Aurora DB Cluster .......................................................................... 521

Connecting with SSL .................................................................................................. 522

Troubleshooting Aurora Connection Failures ................................................................... 523

Viewing an Amazon Aurora DB Cluster .................................................................................. 523

Viewing a DB Cluster in the Console ............................................................................. 523

Viewing a DB Cluster by Using the AWS CLI ................................................................... 525

Viewing a DB Cluster by Using the Amazon RDS API ....................................................... 526

Related Topics ........................................................................................................... 528

Migrating Data to an Amazon Aurora DB Cluster ..................................................................... 528

Migrating an RDS MySQL Snapshot to Aurora ................................................................ 528

Replication with Amazon Aurora ........................................................................................... 534

Monitoring Aurora Replication ...................................................................................... 535

Replication Between Aurora and MySQL or Between Aurora and Another Aurora DB

Cluster ..................................................................................................................... 535

Monitoring an Amazon Aurora DB Cluster .............................................................................. 547

Aurora Metrics ........................................................................................................... 549

Managing an Amazon Aurora DB Cluster ............................................................................... 551

Managing Performance and Scaling for Aurora DB Cluster ................................................ 551

Fault Tolerance for an Aurora DB Cluster ........................................................................ 552

Backing Up and Restoring an Aurora DB Cluster ............................................................. 553

Testing Amazon Aurora Using Fault Injection Queries ....................................................... 554

Best Practices with Amazon Aurora ...................................................................................... 556

API Version 2014-10-31 x

Amazon Relational Database Service User Guide

Determining Which DB Instance You Are Connected To .................................................... 557

Using Amazon Aurora to Scale Reads for Your MySQL Database ....................................... 557

Using Amazon Aurora for Disaster Recovery with Your MySQL Databases ........................... 560

Migrating from MySQL to Amazon Aurora with Reduced Downtime ..................................... 560

Appendix: DB Cluster and DB Instance Parameters ................................................................. 560

Cluster-level parameters ............................................................................................. 561

Database Engine Updates ................................................................................................... 562

Database Engine Updates 2016-01-11 .......................................................................... 563

Database Engine Updates 2015-12-03 .......................................................................... 563

Database Engine Updates 2015-10-16 .......................................................................... 564

Database Engine Updates 2015-08-24 .......................................................................... 567

MariaDB on Amazon RDS ........................................................................................................... 568

MariaDB Planning Information .............................................................................................. 569

MariaDB Versions ...................................................................................................... 569

Amazon RDS MariaDB Supported Storage Engines ......................................................... 570

Amazon RDS MariaDB Supported Regions .................................................................... 571

Amazon RDS and MariaDB Security ............................................................................. 571

Local Time Zone for MariaDB DB Instances .................................................................... 572

XtraDB Cache Warming .............................................................................................. 574

MariaDB, MySQL, and Amazon Aurora Feature Comparison ............................................. 575

MariaDB Features Not Supported by Amazon RDS .......................................................... 579

Database Parameters for MariaDB ................................................................................ 579

Common DBA Tasks for MariaDB ................................................................................. 579

Creating a DB Instance Running MariaDB .............................................................................. 579

AWS Management Console ......................................................................................... 579

CLI .......................................................................................................................... 586

API .......................................................................................................................... 587

Related Topics ........................................................................................................... 588

Connecting to a DB Instance Running MariaDB ....................................................................... 589

Connecting from the mysql Utility .................................................................................. 589

Connecting with SSL .................................................................................................. 590

Maximum MariaDB Connections ................................................................................... 591

Related Topics ........................................................................................................... 591

Modifying a DB Instance Running MariaDB ............................................................................ 592

AWS Management Console ......................................................................................... 592

CLI .......................................................................................................................... 594

API .......................................................................................................................... 595

Importing Data Into a MariaDB DB Instance ............................................................................ 597

Configuring GTID-Based Replication into an Amazon RDS MariaDB DB instance ................. 597

Appendix: Options for MariaDB ............................................................................................. 601

MariaDB Audit Plugin Support ...................................................................................... 601

Appendix: Parameters for MariaDB ....................................................................................... 604

Appendix: MariaDB on Amazon RDS SQL Reference ............................................................... 608 mysql.rds_set_external_master_gtid ............................................................................. 608

mysql.rds_kill_query_id ............................................................................................... 610

DB Instance Lifecycle ................................................................................................................. 611

DB Instance Upgrades and Maintenance ................................................................................ 613

Amazon RDS Maintenance .......................................................................................... 613

Operating System Updates for a DB Instance ................................................................. 618

Upgrading Database Versions for a DB Instance .............................................................. 621

Modifying a DB Instance and Using the Apply Immediately Parameter ......................................... 630

Renaming a DB Instance ..................................................................................................... 633

AWS Management Console ......................................................................................... 633

CLI .......................................................................................................................... 634

API .......................................................................................................................... 634

Related Topics ........................................................................................................... 634

Deleting a DB Instance ....................................................................................................... 635

Deleting a DB Instance with No Final Snapshot ............................................................... 635

API Version 2014-10-31 xi

Amazon Relational Database Service User Guide

Deleting a DB Instance with a Final Snapshot ................................................................. 636

Related Topics ........................................................................................................... 638

Rebooting a DB Instance ..................................................................................................... 639

AWS Management Console ......................................................................................... 639

CLI .......................................................................................................................... 639

API .......................................................................................................................... 640

Working with Storage Types ................................................................................................. 641

Modifying a DB Instance to Use a Different Storage Type .................................................. 641

Modifying IOPS and Storage Settings for a DB Instance That Uses Provisioned IOPS ............ 643

Creating a DB Instance That Uses Provisioned IOPS Storage ............................................ 645

Creating a MySQL or MariaDB Read Replica That Uses Provisioned IOPS Storage ............... 647

Working with PostgreSQL, MySQL, and MariaDB Read Replicas ............................................... 649

Amazon RDS Read Replica Overview ........................................................................... 649

PostgreSQL Read Replicas (version 9.3.5 and later) ........................................................ 651

MySQL and MariaDB Read Replicas ............................................................................. 652

Creating a Read Replica ............................................................................................. 653

Promoting a Read Replica to Be a DB Instance ............................................................... 655

Replicating a Read Replica Across Regions (MySQL and MariaDB Only) ............................ 657

Monitoring Read Replication ........................................................................................ 660

Troubleshooting a MySQL or MariaDB Read Replica Problem ............................................ 661

Troubleshooting a PostgreSQL Read Replica Problem ...................................................... 662

Tagging Amazon RDS Resources ......................................................................................... 664

What You Should Know About Amazon RDS Resource Tags .............................................. 664

AWS Management Console ......................................................................................... 665

CLI .......................................................................................................................... 669

API .......................................................................................................................... 670

Constructing an Amazon RDS Amazon Resource Name (ARN) ......................................... 671

Related Topics ........................................................................................................... 673

Backing Up and Restoring ................................................................................................... 673

Working With Automated Backups ................................................................................ 674

Creating a DB Snapshot .............................................................................................. 678

Restoring From a DB Snapshot .................................................................................... 680

Copying a DB Snapshot .............................................................................................. 684

Sharing a DB Snapshot ............................................................................................... 692

Restoring a DB Instance to a Specified Time .................................................................. 699

Working with Option Groups ................................................................................................ 702

Option Groups Overview ............................................................................................. 702

Creating an Option Group ............................................................................................ 703

Making a Copy of an Option Group ............................................................................... 706

Adding an Option to an Option Group ............................................................................ 707

Listing the Options and Option Settings for an Option Group .............................................. 712

Modifying an Option Setting ......................................................................................... 715

Removing an Option from an Option Group .................................................................... 720

Working with DB Parameter Groups ...................................................................................... 724

Creating a DB Parameter Group ................................................................................... 725

Modifying Parameters in a DB Parameter Group .............................................................. 726

Copying a DB Parameter Group ................................................................................... 729

Listing DB Parameter Groups ....................................................................................... 731

Viewing Parameter Values for a DB Parameter Group ....................................................... 734

DB Parameter Values .................................................................................................. 737

Working with DB Security Groups ......................................................................................... 740

Creating a DB Security Group ...................................................................................... 740

Listing Available DB Security Groups ............................................................................. 743

Viewing a DB security group ........................................................................................ 744

Authorizing Network Access to a DB Security Group from an IP Range ............................... 746

Authorizing Network Access to a DB Instance from an Amazon EC2 Instance ...................... 748

Revoking Network Access to a DB Instance from an IP Range ........................................... 751

Related Topics ........................................................................................................... 753

API Version 2014-10-31 xii

Amazon Relational Database Service User Guide

Working with Reserved DB Instances .................................................................................... 754

Getting Information About Available Reserved DB Instance Offerings .................................. 754

Purchasing a Reserved DB Instance ............................................................................. 760

Getting Information About Your Account's Reserved DB Instances ...................................... 762

Cancelling a Reserved Instance ................................................................................... 765

Related Topics ........................................................................................................... 765

Monitoring ................................................................................................................................ 766

Viewing DB Instance Metrics ................................................................................................ 767

Viewing Metrics by Using the Console ........................................................................... 767

DB Instance Metrics ................................................................................................... 768

Enhanced Monitoring .................................................................................................. 769

Related Topics ........................................................................................................... 780

Using Amazon RDS Event Notification ................................................................................... 781

Amazon RDS Event Categories and Event Messages ...................................................... 782

Subscribing to Amazon RDS Event Notification ............................................................... 787

Listing Your Amazon RDS Event Notification Subscriptions ................................................ 791

Modifying an Amazon RDS Event Notification Subscription ................................................ 793

Adding a Source Identifier to an Amazon RDS Event Notification Subscription ...................... 795

Removing a Source identifier from an Amazon RDS Event Notification Subscription .............. 797

Listing the Amazon RDS Event Notification Categories ..................................................... 799

Deleting an Amazon RDS Event Notification Subscription ................................................. 801

Viewing Amazon RDS Events .............................................................................................. 803

AWS Management Console ......................................................................................... 803

CLI .......................................................................................................................... 803

API .......................................................................................................................... 804

Related Topics ........................................................................................................... 804

Database Log Files ............................................................................................................ 805

Viewing and Listing Database Log Files ......................................................................... 805

Downloading a Database Log File ................................................................................. 808

Watching a Database Log File ...................................................................................... 812

Related Topics ........................................................................................................... 814

MySQL Database Log Files ......................................................................................... 814

Oracle Database Log Files .......................................................................................... 819

SQL Server Database Log Files ................................................................................... 822

PostgreSQL Database Log Files ................................................................................... 823

MariaDB Database Log Files ....................................................................................... 825

Logging Amazon RDS API Calls Using AWS CloudTrail ............................................................ 831

Configuring CloudTrail Event Logging ............................................................................ 831

Amazon RDS Event Entries in CloudTrail Log Files .......................................................... 831

Troubleshooting ......................................................................................................................... 834

Cannot Connect to DB Instance ............................................................................................ 834

Testing the DB Instance Connection .............................................................................. 835

Troubleshooting Connection Authentication ..................................................................... 835

Security Issues .................................................................................................................. 835

Resetting the DB Instance Owner Role Password .................................................................... 836

DB Instance Outage or Reboot ............................................................................................. 836

Parameter Changes Not Taking Effect .................................................................................... 837

DB Instance Out of Storage ................................................................................................. 837

MySQL Issues ................................................................................................................... 839

MySQL Version 5.5.40 Asynchronous I/O Is Disabled ....................................................... 839

Index Merge Optimization Returns Wrong Results ........................................................... 839

Replication Fails After Upgrading to MySQL Version 5.6.21 ............................................... 840

Diagnosing and Resolving Lag Between Read Replicas .................................................... 841

Diagnosing and Resolving a MySQL or MariaDB Read Replication Failure ........................... 842

Creating Triggers with Binary Logging Enabled Requires SUPER Privilege ........................... 843

Diagnosing and Resolving Point-In-Time Restore Failures ................................................. 844

Aurora Issues .................................................................................................................... 845

No Space Left on Device Error ..................................................................................... 845

API Version 2014-10-31 xiii

Amazon Relational Database Service User Guide

Oracle GoldenGate Issues ................................................................................................... 846

Using Oracle GoldenGate with Amazon EC2 Instances .................................................... 846

Retaining Logs for Sufficient Time ................................................................................. 846

Cannot Connect to SQL Server DB Instance ........................................................................... 846

Cannot Connect to PostgreSQL DB Instance .......................................................................... 847

Amazon RDS API ...................................................................................................................... 848

Using the Query API ........................................................................................................... 848

Query Parameters ...................................................................................................... 848

Query Request Authentication ...................................................................................... 848

Using the SOAP API ........................................................................................................... 850

WSDL and Schema Definitions ..................................................................................... 851

Programming Language Support .................................................................................. 851

Request Authentication ............................................................................................... 851

Response Structure .................................................................................................... 853

Web Services References ........................................................................................... 854

Available Libraries .............................................................................................................. 854

Troubleshooting Applications ................................................................................................ 854

Retrieving Errors ........................................................................................................ 854

Troubleshooting Tips ................................................................................................... 855

RDS REST API Reference .................................................................................................. 855

Related Topics ........................................................................................................... 855

DownloadCompleteDBLogFile ...................................................................................... 855

Resources ................................................................................................................................ 857

Document History ...................................................................................................................... 858

API Version 2014-10-31 xiv

Amazon Relational Database Service User Guide

What Is Amazon Relational

Database Service (Amazon RDS)?

Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizeable capacity for an industry-standard relational database and manages common database administration tasks.

Topics

Amazon RDS Components (p. 2)

Available RDS Interfaces (p. 3)

How You Are Charged for Amazon RDS (p. 5)

Monitoring an Amazon RDS DB Instance (p. 5)

What's Next? (p. 5)

Why would you want a managed relational database service? Because Amazon RDS takes over many of the difficult or tedious management tasks of a relational database.

• When you buy a server, you get CPU, memory, storage, and IOPS, all bundled together. With Amazon

RDS, these are split apart so that you can scale them independently. So, for example, if you need more

CPU, less IOPS, or more storage, you can easily allocate them.

• Amazon RDS manages backups, software patching, automatic failure detection, and recovery.

• In order to deliver a managed service experience, Amazon RDS does not provide shell access to DB instances, and it restricts access to certain system procedures and tables that require advanced privileges.

• You can have automated backups performed when you need them, or create your own backup snapshot.

These backups can be used to restore a database, and the Amazon RDS restore process works reliably and efficiently.

• You can get high availability with a primary instance and a synchronous secondary instance that you can failover to when problems occur.You can also use MySQL, MariaDB, or PostgreSQL Read Replicas to increase read scaling.

• You can use the database products you are already familiar with: MySQL, MariaDB, PostgreSQL,

Oracle, Microsoft SQL Server, and the new, MySQL-compatible Amazon Aurora DB engine (for information, see

Aurora on Amazon RDS (p. 495)

).

API Version 2014-10-31

1

Amazon Relational Database Service User Guide

Amazon RDS Components

• In addition to the security in your database package, you can help control who can access your RDS databases by using AWS IAM to define users and permissions.You can also help protect your databases by putting them in a virtual private cloud.

To begin learning more:

• If you are new to RDS but you are familiar with other Amazon Web Services, start with an introduction

to the Amazon RDS Components (p. 2)

. This section discusses the key components of Amazon RDS and how they map to those that you currently work with on your local network.

• For an overview of all AWS products, see What is Cloud Computing?

• Amazon Web Services provides a number of database services. For guidance on which service is best for your environment, see Running Databases on AWS

Amazon RDS Components

Topics

DB Instances (p. 2)

Regions and Availability Zones (p. 3)

Security Groups (p. 3)

DB Parameter Groups (p. 3)

DB Option Groups (p. 3)

DB Instances

The basic building block of Amazon RDS is the DB instance. A DB instance is an isolated database environment in the cloud. A DB instance can contain multiple user-created databases, and you can access it by using the same tools and applications that you use with a stand-alone database instance.

You can create and modify a DB instance by using the Amazon AWS command line interface, the Amazon

RDS API, or the AWS Management Console.

Each DB instance runs a DB engine. Amazon RDS currently supports the MySQL, MariaDB, PostgreSQL,

Oracle, and Microsoft SQL Server DB engines. Each DB engine has its own supported features, and each version of a DB engine may include specific features. Additionally, each DB engine has a set of parameters in a DB parameter group that control the behavior of the databases that it manages.

The computation and memory capacity of a DB instance is determined by its DB instance class. You can select the DB instance that best meets your needs. If your needs change over time, you can change DB instances. For information about DB instance classes, see the DB Instance Class section. For pricing information on DB instance classes, go to the Pricing section of the Amazon Relational Database Service

(Amazon RDS) product page.

For each DB instance, you can select from 5 GB to 6 TB of associated storage capacity. Each DB instance class has minimum and maximum storage requirements for the DB instances that are created from it. It’s important to have sufficient storage so that your databases have room to grow and that features for the

DB engine have room to write content or log entries.

DB instance storage comes in three types: Magnetic, General Purpose (SSD), and Provisioned IOPS

(SSD). They differ in performance characteristics and price, allowing you to tailor your storage performance and cost to the needs of your database. For a complete discussion of the different volume types, see the topic Amazon EBS Volume Types .

You can run a DB instance on a virtual private cloud using Amazon's Virtual Private Cloud (VPC) service.

When you use a virtual private cloud, you have control over your virtual networking environment: you can

API Version 2014-10-31

2

Amazon Relational Database Service User Guide

Regions and Availability Zones

select your own IP address range, create subnets, and configure routing and access control lists. The basic functionality of Amazon RDS is the same whether it is running in a VPC or not; Amazon RDS manages backups, software patching, automatic failure detection, and recovery. There is no additional

cost to run your DB instance in a VPC. For more information on VPC and RDS, see Virtual Private Clouds

(VPCs) and Amazon RDS (p. 155) .

Regions and Availability Zones

Amazon cloud computing resources are housed in highly available data center facilities in different areas of the world (for example, North America, Europe, or Asia). Each data center location is called a region.

Each region contains multiple distinct locations called Availability Zones, or AZs. Each Availability Zone is engineered to be isolated from failures in other Availability Zones, and to provide inexpensive, low-latency network connectivity to other Availability Zones in the same region. By launching instances in separate

Availability Zones, you can protect your applications from the failure of a single location. For a list of regions and Availability Zones, see

Regions and Availability Zones (p. 111) .

You can run your DB instance in several Availability Zones, an option called a Multi-AZ deployment. When you select this option, Amazon automatically provisions and maintains a synchronous standby replica of your DB instance in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to the standby replica to provide data redundancy, failover support, eliminate

I/O freezes, and minimize latency spikes during system backups.

Security Groups

A security group controls the access to a DB instance. It does so by allowing access to IP address ranges or Amazon EC2 instances that you specify.

Amazon RDS uses DB security groups, VPC security groups, and EC2 security groups. In simple terms, a DB security group controls access to a DB instance that is not in a VPC, a VPC security group controls access to a DB instance inside a VPC, and an Amazon EC2 security group controls access to an EC2 instance and can be used with a DB instance. For more information about security groups, see

Amazon

RDS Security Groups (p. 149)

.

DB Parameter Groups

You manage the configuration of a DB engine by using a DB parameter group. A DB parameter group contains engine configuration values that can be applied to one or more DB instances of the same instance type. Amazon RDS applies a default DB parameter group if you don’t specify a DB parameter group when you create a DB instance. The default group contains defaults for the specific database engine and instance class of the DB instance.

DB Option Groups

Some DB engines offer tools that simplify managing your databases and making the best use of your data. Amazon RDS makes such tools available through option groups. Examples of available options are

Oracle Application Express (APEX), SQL Server Transparent Data Encryption, and MySQL memcached

support. For more information on option groups, see Working with Option Groups (p. 702)

.

Available RDS Interfaces

Topics

Amazon RDS Console (p. 4)

API Version 2014-10-31

3

Amazon Relational Database Service User Guide

Amazon RDS Console

Command Line Interface (p. 4)

Programmatic Interfaces (p. 4)

There are several ways that you can interact with Amazon RDS.

Amazon RDS Console

The Amazon RDS console is a simple web-based user interface. From the console, you can perform almost all tasks you need to do from the RDS console with no programming required. To access the

Amazon RDS console, sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/ .

Command Line Interface

Amazon AWS provides a command line interface that gives you access to much of the functionality that is available in the Amazon RDS API. For more information, see the AWS Command Line Interface

Documentation and AWS Command Line Reference for Amazon RDS .

Programmatic Interfaces

The following table lists the resources that you can use to access Amazon RDS programmatically.

Resource

AWS SDKs

Libraries

Description

The AWS SDKs include sample code, libraries, tools, documentation, and templates. To download the AWS SDKs, go to AWS Software Development

Kits (SDKs) .

AWS provides libraries, sample code, tutorials, and other resources for software developers who prefer to build applications using language-specific APIs instead of Amazon Relational Database Service's SOAP and Query APIs. These libraries provide basic functions (not included in Amazon Relational Database

Service's SOAP and Query APIs), such as request authentication, request retries, and error handling so you can get started more easily. Libraries and resources are available for the following languages:

• Java

• PHP

• Python

• Ruby

• Windows and .NET

Amazon RDS API

For libraries and sample code in all languages, see Sample Code & Libraries .

If you prefer, you can code directly to the Amazon RDS API. For more inform-

ation, see Amazon RDS API (p. 848) , and see the

Amazon Relational Database

Service API Reference .

API Version 2014-10-31

4

Amazon Relational Database Service User Guide

How You Are Charged for Amazon RDS

How You Are Charged for Amazon RDS

When you use Amazon RDS, you pay only for what you use, and there are no minimum or setup fees.

You are billed according to the following criteria.

• Instance class – Pricing is based on the class (e.g., micro, small, large, xlarge) of the DB instance consumed.

• Running time – You are billed by the instance-hour, which is equivalent to a single instance running for an hour. For example, both a single instance running for two hours and two instances running for one hour consume 2 instance-hours. If a DB instance runs for only part of an hour, you are charged for a full instance-hour.

• Storage – The storage capacity that you have provisioned to your DB instance is billed per GB per month. If you scale your provisioned storage capacity within the month, your bill will be pro-rated.

• I/O requests per month – Total number of storage I/O requests that you have made in a billing cycle.

• Backup storage – Backup storage is the storage that is associated with automated database backups and any active database snapshots that you have taken. Increasing your backup retention period or taking additional database snapshots increases the backup storage consumed by your database.

Amazon RDS provides backup storage up to 100% of your provisioned database storage at no additional charge. For example, if you have 10 GB-months of provisioned database storage, we will provide up to 10 GB-months of backup storage at no additional charge. Most databases require less raw storage for a backup than for the primary dataset, so if you don’t keep multiple backups, you will never pay for backup storage. Backup storage is free only for active DB instances.

• Data transfer –Internet data transfer in and out of your DB instance.

In addition to regular RDS pricing, you can purchase reserved DB instances. Reserved DB instances let you make a one-time up-front payment for a DB instance and reserve the DB instance for a one- or three-year term at significantly lower rates. For more information on reserved DB instances, see

Working with Reserved DB Instances (p. 754)

For Amazon RDS pricing information, see the Amazon RDS product page .

Monitoring an Amazon RDS DB Instance

There are several ways that you can track the performance and health of a DB instance. You can use the free Amazon CloudWatch service to monitor the performance and health of a DB instance; performance charts are shown in the Amazon RDS console. You can subscribe to Amazon RDS events to be notified when changes occur with a DB instance, DB Snapshot, DB parameter group, or DB security group. For

more information about Amazon CloudWatch, see Viewing DB Instance Metrics (p. 767) . For more

information on Amazon RDS event notification, see

Using Amazon RDS Event Notification (p. 781)

What's Next?

This section introduced you to the basic infrastructure components that RDS offers. What should you do next?

Getting Started

Create a DB instance using instructions in the Getting Started with Amazon RDS (p. 12) section.

API Version 2014-10-31

5

Amazon Relational Database Service User Guide

Database Engine Specific Topics

Database Engine Specific Topics

You can review information specific to a particular DB engine in the following sections:

Oracle on Amazon RDS (p. 260)

MySQL on Amazon RDS (p. 175)

Microsoft SQL Server on Amazon RDS (p. 383)

PostgreSQL on Amazon RDS (p. 451)

Aurora on Amazon RDS (p. 495)

MariaDB on Amazon RDS (p. 568)

API Version 2014-10-31

6

Amazon Relational Database Service User Guide

Sign Up for AWS

Setting Up for Amazon RDS

Before you use Amazon RDS for the first time, complete the following tasks:

1.

Sign Up for AWS (p. 7)

2.

Create an IAM User (p. 8)

3.

Determine Requirements (p. 9)

4.

Provide Access to the DB Instance in the VPC by Creating a Security Group (p. 10)

Sign Up for AWS

When you sign up for Amazon Web Services (AWS), your AWS account is automatically signed up for all services in AWS, including Amazon RDS. You are charged only for the services that you use.

With Amazon RDS, you pay only for the resources you use. The Amazon RDS DB instance that you create will be live (not running in a sandbox). You will incur the standard Amazon RDS usage fees for the instance until you terminate it. For more information about Amazon RDS usage rates, see the Amazon

RDS product page . If you are a new AWS customer, you can get started with Amazon RDS for free; for more information, see AWS Free Usage Tier .

If you have an AWS account already, skip to the next task. If you don't have an AWS account, use the following procedure to create one.

To create an AWS account

1.

Open http://aws.amazon.com/ , and then choose Create an AWS Account.

2.

Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a PIN using the phone keypad.

Note your AWS account number, because you'll need it for the next task.

API Version 2014-10-31

7

Amazon Relational Database Service User Guide

Create an IAM User

Create an IAM User

Services in AWS, such as Amazon RDS, require that you provide credentials when you access them, so that the service can determine whether you have permission to access its resources. The console requires your password. You can create access keys for your AWS account to access the command line interface or API. However, we don't recommend that you access AWS using the credentials for your AWS account; we recommend that you use AWS Identity and Access Management (IAM) instead. Create an IAM user, and then add the user to an IAM group with administrative permissions or and grant this user administrative permissions. You can then access AWS using a special URL and the credentials for the IAM user.

If you signed up for AWS but have not created an IAM user for yourself, you can create one using the

IAM console.

To create a group for administrators

1.

Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/ iam/ .

2.

In the navigation pane, choose Groups, and then choose Create New Group.

3.

For Group Name, type a name for your group, such as

Administrators

, and then choose Next

Step.

4.

In the list of policies, select the check box next to the AdministratorAccess policy. You can use the

Filter menu and the Search box to filter the list of policies.

5.

Choose Next Step, and then choose Create Group.

Your new group is listed under Group Name.

To create an IAM user for yourself, add the user to the administrators group, and create a password for the user

1.

In the navigation pane, choose Users, and then choose Create New Users.

2.

In box 1, type a user name.

3.

Clear the check box next to Generate an access key for each user.

4.

Choose Create.

5.

In the list of users, choose the name (not the check box) of the user you just created. You can use the Search box to search for the user name.

6.

Choose the Groups tab and then choose Add User to Groups.

7.

Select the check box next to the administrators group. Then choose Add to Groups.

8.

Choose the Security Credentials tab. Under Sign-In Credentials, choose Manage Password.

9.

Select Assign a custom password. Then type a password in the Password and Confirm Password boxes. When you are finished, choose Apply.

To sign in as this new IAM user, sign out of the AWS console, then use the following URL, where

your_aws_account_id is your AWS account number without the hyphens (for example, if your AWS account number is

1234-5678-9012

, your AWS account ID is

123456789012

): https://

your_aws_account_id

.signin.aws.amazon.com/console/

Enter the IAM user name and password that you just created. When you're signed in, the navigation bar displays "your_user_name @ your_aws_account_id".

API Version 2014-10-31

8

Amazon Relational Database Service User Guide

Determine Requirements

If you don't want the URL for your sign-in page to contain your AWS account ID, you can create an account alias. From the IAM dashboard, click Customize and enter an alias, such as your company name. To sign in after you create an account alias, use the following URL: https://

your_account_alias

.signin.aws.amazon.com/console/

To verify the sign-in link for IAM users for your account, open the IAM console and check under AWS

Account Alias on the dashboard.

Determine Requirements

The basic building block of Amazon RDS is the DB instance. The DB instance is where you create your databases. A DB instance provides a network address called the Endpoint. Your applications connect to the endpoint exposed by the DB instance whenever they need to access the databases created in that

DB instance. The information you specify when you create the DB instance controls configuration elements such as storage, memory, database engine and version, network configuration, security, and maintenance periods.

You must know your DB instance and network needs before you create a security group and before you create a DB instance. For example, you must know the following:

• What are the memory and processor requirements for your application or service? You will use these settings when you determine what DB instance class you will use when you create your DB instance.

For specifications about DB instance classes, see

DB Instance Class (p. 104)

.

• Your DB instance is most likely in a virtual private cloud (VPC); some legacy instances are not in a

VPC, but if you are a new RDS user (two years or less) or accessing a new region, you are most likely creating an DB instance inside a VPC. The security group rules you need to connect to a DB instance depend on whether your DB instance is in a default VPC, in a user-defined VPC, or outside of a VPC.

For information on determining if your account has a default VPC in a region, see

Determining Whether

You Are Using the EC2-VPC or EC2-Classic Platform (p. 155) . The follow list describes the rules for

each VPC option:

Default VPC — If your AWS account has a default VPC in the region, that VPC is configured to support DB instances. If you specify the default VPC when you create the DB instance:

• You must create a VPC security group that authorizes connections from the application or service to the Amazon RDS DB instance with the database. Note that you must use the Amazon EC2 API or the Security Group option on the VPC Console to create VPC security groups. For information,

see Step 4: Create a VPC Security Group (p. 168) .

• You must specify the default DB subnet group. If this is the first DB instance you have created in the region, Amazon RDS will create the default DB subnet group when it creates the DB instance.

User-defined VPC — If you want to specify a user-defined VPC when you create a DB instance:

• You must create a VPC security group that authorizes connections from the application or service to the Amazon RDS DB instance with the database. Note that you must use the Amazon EC2 API or the Security Group option on the VPC Console to create VPC security groups. For information,

see Step 4: Create a VPC Security Group (p. 168) ..

• The VPC must meet certain requirements in order to host DB instances, such as having at least

two subnets, each in a separate availability zone. For information, see Amazon RDS and Amazon

Virtual Private Cloud (VPC) (p. 114)

.

• You must specify a DB subnet group that defines which subnets in that VPC can be used by the

DB instance. For information, see the DB Subnet Group section in Working with a DB Instance in a VPC (p. 165) .

No VPC — if your AWS account does not have a default VPC, and you do not specify a user-defined

VPC:

API Version 2014-10-31

9

Amazon Relational Database Service User Guide

Provide Access to the DB Instance in the VPC by

Creating a Security Group

• You must create a DB security group that authorizes connections from the devices and Amazon

RDS instances running the applications or utilities that will access the databases in the DB instance.

For more information, see

Working with DB Security Groups (p. 740) .

• Do you need failover support? On Amazon RDS, a standby replica of your DB instance that can be used in the event of a failover is called a Multi-AZ deployment. If you have production workloads, you should use a Multi-AZ deployment. For test purposes, you can usually get by with a single instance, non-Multi-AZ deployment.

• Does your AWS account have policies that grant the permissions needed to perform Amazon RDS operations? If you are connecting to AWS using IAM credentials, your IAM account must have IAM policies that grant the permissions required to perform Amazon RDS operations. For more information, see

Authentication and Access Control for Amazon RDS (p. 131)

.

• What TCP/IP port will your database be listening on? The firewall at some companies may block connections to the default port for your database engine. If your company firewall blocks the default port, choose another port for the new DB instance. Note that once you create a DB instance that listens on a port you specify, you cannot change the port for the DB instance.

• What region do you want your database in? Having the database close in proximity to the application or web service could reduce network latency.

• What are your storage requirements? Do you need to use Provisioned IOPS? Amazon RDS provides three storage types: magnetic, General Purpose (SSD), and Provisioned IOPS (input/output operations per second) . Magnetic storage, also called standard storage, offers cost-effective storage that is ideal for applications with light or burst I/O requirements. General purpose, SSD-backed storage, also called

gp2, can provide faster access than disk-based storage. Provisioned IOPS storage is designed to meet the needs of I/O-intensive workloads, particularly database workloads, that are sensitive to storage performance and consistency in random access I/O throughput. For more information on Amazon RDS

storage, see Storage for Amazon RDS (p. 120)

.

Once you have the information you need to create the security group and the DB instance, continue to the next step.

Provide Access to the DB Instance in the VPC by Creating a Security Group

Your DB instance will most likely be created in a VPC. Security groups provide access to the DB instance in the VPC. They act as a firewall for the associated DB instance, controlling both inbound and outbound traffic at the instance level. DB instances are created by default with a firewall and a default security group that prevents access to the DB instance. You must therefore add rules to a security group that enable you to connect to your DB instance. Use the network and configuration information you determined in the previous step to create rules to allow access to your DB instance.

The security group you need to create will be a VPC security group, unless you have a legacy DB instance not in a VPC that requires a DB security group. If you created your AWS account after March 2013, chances are very good that you have a default VPC, and your DB instance will be created in that VPC.

DB instances in a VPC require that you add rules to a VPC security group to allow access to the instance.

For example, if you have an application that will access a database on your DB instance in a VPC, you must add a Custom TCP rule that specifies the port range and IP addresses that application will use to access the database. If you have an application on an Amazon EC2 instance, you can use the VPC or

EC2 security group you set up for the EC2 instance.

To create a VPC security group

1.

Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc.

API Version 2014-10-31

10

Amazon Relational Database Service User Guide

Provide Access to the DB Instance in the VPC by

Creating a Security Group

2.

In the top right corner of the AWS Management Console, select the region in which you want to create the VPC security group and the DB instance. In the list of Amazon VPC resources for that region, it should show that you have at least one VPC and several Subnets. If it does not, you do not have a default VPC in that region.

3.

In the navigation pane, click Security Groups.

4.

Click Create Security Group.

5.

In the Create Security Group window, type the Name tag, Group name, and Description of your security group. Select the VPC that you want to create your DB instance in. Click Yes, Create.

6.

The VPC security group you created should still be selected. The details pane at the bottom of the console window displays the details for the security group, and tabs for working with inbound and outbound rules. Click the Inbound Rules tab.

7.

On the Inbound Rules tab, click Edit. Select Custom TCP Rule from the Type list. Type your port value in the PortRange text box, and then type a CIDR value (IP address range) or select a security group name in the Source text box.

8.

If you need to add more IP addresses or different port ranges, click Add another rule.

9.

If you need to, you can use the Outbound Rules tab to add rules for outbound traffic.

10. When you have finished, click Save.

You will use the VPC security group you just created as the security group for your DB instance when

you create it. If your DB instance is not going to be in a VPC, then see the topic Working with DB

Security Groups (p. 740) to create a DB security group that you will use when you create your DB

instance.

Finally, a quick note about VPC subnets: If you use a default VPC, a default subnet group spanning all of the VPC's subnets has already been created for you. When you use the Launch a DB Instance wizard to create a DB instance, you can select the default VPC and use default for the DB Subnet

Group.

Once you have completed the setup requirements, you can use your requirements and the security group you created to launch a DB instance. For information on creating a DB instance, see the relevant documentation in the following table:

Database Engine

Amazon Aurora

MariaDB

Microsoft SQL Server

MySQL

Oracle

PostgreSQL

Relevant Documentation

Creating a DB Cluster and Connecting to a Database on an Amazon Aurora DB Instance (p. 48)

Creating a MariaDB DB Instance and Connecting to a Database on a

MariaDB DB Instance (p. 53)

Creating a SQL Server DB Instance and Connecting to a Database on a

SQL Server DB Instance (p. 26)

Creating a MySQL DB Instance and Connecting to a Database on a

MySQL DB Instance (p. 12)

Creating an Oracle DB Instance and Connecting to a Database on an

Oracle DB Instance (p. 19)

Creating a PostgreSQL DB Instance and Connecting to a Database on a

PostgreSQL DB Instance (p. 38)

API Version 2014-10-31

11

Amazon Relational Database Service User Guide

Creating a MySQL DB Instance and Connecting to a

Database

Getting Started with Amazon RDS

This section shows you how to create and connect to a DB instance using Amazon RDS. You can create, or launch, a DB instance that uses MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Amazon Aurora, or MariaDB.

Important

You must complete the tasks in the

Setting Up for Amazon RDS (p. 7)

section before you can create or connect to a DB instance.

Creating a DB instance and connecting to a database on a DB instance is slightly different for each of the DB engines; choose the DB engine below that you want to use for detailed information on creating and connecting to the DB instance.

Creating a MySQL DB Instance and Connecting to a Database on a MySQL DB Instance (p. 12)

Creating an Oracle DB Instance and Connecting to a Database on an Oracle DB Instance (p. 19)

Creating a SQL Server DB Instance and Connecting to a Database on a SQL Server DB Instance (p. 26)

Creating a PostgreSQL DB Instance and Connecting to a Database on a PostgreSQL DB Instance (p. 38)

Creating a DB Cluster and Connecting to a Database on an Amazon Aurora DB Instance (p. 48)

Creating a MariaDB DB Instance and Connecting to a Database on a MariaDB DB Instance (p. 53)

Once you have created and connected to your DB instance, instructions are provided to help you delete the DB instance.

Creating a MySQL DB Instance and Connecting to a Database on a MySQL DB Instance

The easiest way to create a DB instance is to use the Amazon RDS console. Once you have created the

DB instance, you can use standard MySQL utilities such as MySQL Workbench to connect to a database on the DB instance.

Important

You must complete the tasks in the

Setting Up for Amazon RDS (p. 7)

section before you can create or connect to a DB instance.

Topics

Creating a MySQL DB Instance (p. 13)

API Version 2014-10-31

12

Amazon Relational Database Service User Guide

Creating a MySQL DB Instance

Connecting to a Database on a DB Instance Running the MySQL Database Engine (p. 18)

Deleting a DB Instance (p. 18)

Creating a MySQL DB Instance

The basic building block of Amazon RDS is the DB instance. This is the environment in which you will run your MySQL databases.

In this example, you create a DB instance running the MySQL database engine called

west2-mysql-instance1, with a db.m1.small DB instance class, 5 GB of storage, and automated backups enabled with a retention period of one day.

To create a MySQL DB instance

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the top right corner of the Amazon RDS console, choose the region in which you want to create the DB instance.

3.

In the navigation pane, choose Instances.

4.

Choose Launch DB Instance. The Launch DB Instance Wizard opens on the Select Engine page.

5.

On the Select Engine page, choose the MySQL icon and then choose Select for the MySQL DB engine.

6.

On the Specify DB Details page, specify your DB instance information. The following table shows settings for an example DB instance. When the settings are as you want them, choose Next.

API Version 2014-10-31

13

DB Engine Version

DB Instance Class

Multi-AZ Deployment

Allocated Storage

Storage Type

DB Instance Identifier

Master Password and Confirm

Password

Amazon Relational Database Service User Guide

Creating a MySQL DB Instance

For this parameter...

License Model

Master Username

...Do this:

Choose the default,

general-public-license

, to use the general license agreement for MySQL. MySQL has only one license model.

Choose the default version of MySQL. Note that Amazon

RDS supports multiple versions of MySQL in some regions.

Choose

db.m1.small

for a configuration that equates to

1.7 GB memory, 1 ECU (1 virtual core with 1 ECU), 64-bit platform, and moderate I/O capacity.

Choose

No

to create your DB instance in a single availability zone.

Type

5

to allocate 5 GB of storage for your database. In some cases, allocating a higher amount of storage for your

DB instance than the size of your database can improve

I/O performance. For more information about storage allocation, see Amazon Relational Database Service Features .

Choose the storage type

Magnetic

. For more information

about storage, see Storage for Amazon RDS (p. 120)

.

Type a name for the DB instance that is unique for your account in the region you chose. You can add some intelligence to the name, such as including the region and DB engine you chose, for example

west2-mysql-instance1

.

Type a name using alphanumeric characters that you will use as the master user name to log on to your DB instance.

This will be the user name you use to logon to your database on the DB instance for the first time.

Type a password that contains from 8 to 41 printable ASCII characters (excluding /,", and @) for your master user password. This will be the password you will use when you use the user name to logon to your database. Then type the password again in the Confirm Password text box.

API Version 2014-10-31

14

Amazon Relational Database Service User Guide

Creating a MySQL DB Instance

7.

On the Configure Advanced Settings page, provide additional information that RDS needs to launch the MySQL DB instance. The table shows settings for an example DB instance. Specify your DB instance information, then choose Launch DB Instance.

API Version 2014-10-31

15

Database Port

Option Group

Amazon Relational Database Service User Guide

Creating a MySQL DB Instance

For this parameter...

VPC

Availability Zone

DB Security Groups

Database Name

DB Parameter Group

Enable Encryption

Backup Retention Period

Backup Window

Enable Enhanced Monitoring

Auto Minor Version Upgrade

Maintenance Window

...Do this:

Choose the name of the Virtual Private Cloud (VPC) that will host your MySQL DB instance. If your DB instance will not be hosted in a VPC, choose Not in VPC. For more in-

formation about VPC, see Amazon RDS and Amazon Virtual Private Cloud (VPC) (p. 114) .

Determine if you want to specify a particular Availability

Zone. If you chose Yes for the Multi-AZ Deployment parameter on the previous page, you will not have any options here. For more information about Availability Zones, see

Regions and Availability Zones (p. 111)

.

Choose the security group you want to use with this DB instance. For more information about security groups, see

Working with DB Security Groups (p. 740)

.

Type a database name that is 1 to 64 alpha-numeric characters. If you do not provide a name, Amazon RDS will not automatically create a database on the DB instance you are creating.

Leave the default value of

3306

unless you have a specific port you want to access the database through. MySQL installations default to port 3306.

Leave the default value unless you created your own DB parameter group. For more information about parameter

groups, see Working with DB Parameter Groups (p. 724) .

Choose the default value because this option group is used with the MySQL version you chose on the previous page.

Choose

Yes

to enable encryption at rest for this DB in-

stance. For more information, see Encrypting Amazon RDS

Resources (p. 145) .

Set the number of days you want automatic backups of your database to be retained. For testing purposes, you can set this value to

1

.

Unless you have a specific time that you want to have your database backup, use the default of

No Preference

.

Unless you want to enable gathering metrics in real time for the operating system that your DB instance runs on, use the default of No.

Choose

Yes

to enable your DB instance to receive minor

DB engine version upgrades automatically when they become available.

Choose the 30 minute window in which pending modifications to your DB instance are applied. If you the time period doesn't matter, choose

No Preference

.

API Version 2014-10-31

16

Amazon Relational Database Service User Guide

Creating a MySQL DB Instance

API Version 2014-10-31

17

Amazon Relational Database Service User Guide

Connecting to a Database on a DB Instance Running

MySQL

8.

On the RDS console, the new DB instance appears in the list of DB instances. The DB instance will have a status of creating until the DB instance is created and ready for use. When the state changes to available, you can connect to a database on the DB instance. Depending on the DB instance class and store allocated, it could take several minutes for the new DB instance to become available.

Connecting to a Database on a DB Instance

Running the MySQL Database Engine

Once Amazon RDS provisions your DB instance, you can use any standard SQL client application to connect to a database on the DB instance. In this example, you connect to a database on a MySQL DB instance using MySQL monitor commands. One GUI-based application you can use to connect is MySQL

Workbench; for more information, go to the Download MySQL Workbench page. For more information on using MySQL, go to the MySQL documentation .

To connect to a database on a DB instance using MySQL monitor

• Type the following command at a command prompt on a client computer to connect to a database on a MySQL DB instance using the MySQL monitor. Substitute the DNS name for your DB instance for <endpoint>, the master user name you used for <mymasteruser>, and the master password you used for <password>.

PROMPT> mysql -h <endpoint> -P 3306 -u <mymasteruser> -p

You will see output similar to the following.

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 350

Server version: 5.1.32-log MySQL Community Server (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

Deleting a DB Instance

Once you have connected to the sample DB instance that you created, you should delete the DB instance so you are no longer charged for it.

API Version 2014-10-31

18

Amazon Relational Database Service User Guide

Creating an Oracle DB Instance and Connecting to a

Database

To delete a DB instance with no final DB snapshot

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the Instances list, choose the DB instance you wish to delete.

3.

Choose Instance Actions, and then choose Delete from the dropdown menu.

4.

Choose No in the Create final Snapshot? drop-down list box.

5.

Choose Yes, Delete.

Creating an Oracle DB Instance and Connecting to a Database on an Oracle DB Instance

The easiest way to create an Oracle DB instance is to use the RDS console. Once you have created the

DB instance, you can use standard Oracle client utilities such as SQL Developer to connect to the instance.

In this example, you create a DB instance running the Oracle database engine called west2-oracle1, with a db.m1.small DB instance class, 10 GB of storage, and automated backups enabled with a retention period of one day.

Important

You must complete the tasks in the

Setting Up for Amazon RDS (p. 7)

section before you can create or connect to a DB instance.

Topics

Creating a DB Instance Running the Oracle Database Engine (p. 19)

Connecting to a DB Instance Running the Oracle Database Engine (p. 24)

Deleting a DB Instance (p. 26)

Creating a DB Instance Running the Oracle

Database Engine

To launch an Oracle DB instance

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the top right corner of the Amazon RDS console, choose the region in which you want to create the DB instance.

3.

In the navigation pane, choose Instances.

4.

Choose Launch DB Instance to start the Launch DB Instance Wizard.

The wizard opens on the Select Engine page.

API Version 2014-10-31

19

Amazon Relational Database Service User Guide

Creating a DB Instance Running Oracle

5.

In the Launch DB Instance Wizard window, choose the Oracle icon, and then choose Select for the Oracle version you want to use.

6.

On the Production? page, it asks if you are planning to use the DB instance you are creating for production. If you are, choose Yes. By choosing Yes, the failover option Multi-AZ and the Provisioned

IOPS storage option will be preselected in the following step. Choose Next to continue.

7.

On the Specify DB Details page, specify your DB instance information. The following table shows settings for an example DB instance. Choose Next when you are finished.

For this parameter...

License Model

DB Engine Version

DB Instance Class

Multi-AZ Deployment

...Do this:

Choose

bring-your-own-license

, to provide your own license for using Oracle. Some regions support additional licensing options for Oracle.

Choose the default version of Oracle.

Choose

db.m3.medium

for a configuration that equates to 1.7 GB memory, 1 ECU (1 virtual core with 1 ECU), 64bit platform, and moderate I/O capacity.

Choose

No

to create your DB instance in a single availability zone.

API Version 2014-10-31

20

Amazon Relational Database Service User Guide

Creating a DB Instance Running Oracle

For this parameter...

Allocated Storage

Storage Type

DB Instance Identifier

...Do this:

Type

10

to allocate 10 GB of storage for your database.

In some cases, allocating a higher amount of storage for your DB instance than the size of your database can improve I/O performance. For more information about storage allocation, see Amazon Relational Database Service Features .

Choose the storage type

Magnetic

. For more information

about storage, see Storage for Amazon RDS (p. 120)

.

Type a name for the DB Instance that is unique for your account in the region you chose. You can add some intelligence to the name, such as including the region and DB engine you chose, for example

oracle-unstance1

.

Master User Name

Type a name that you will use as the master user name to log on to your DB instance with all database privileges.

This user account is used to log into the DB instance and is granted the "DBA" role.

Master User Password and Confirm

Password

Type a password that contains from 8 to 30 printable ASCII characters (excluding /,", and @) for your master user password, and then type the password again in the Confirm

Password text box.

API Version 2014-10-31

21

Amazon Relational Database Service User Guide

Creating a DB Instance Running Oracle

8.

On the Configure Advanced Settings page, provide additional information that RDS needs to launch the Oracle DB instance. The table shows settings for an example DB instance. Specify your DB instance information, then choose Launch DB Instance.

For this parameter...

VPC

...Do this:

This setting depends on the platform you are on. If you are a new customer to AWS, choose the default VPC. If you are creating a DB instance on the previous E2-Classic platform, choose

Not in VPC

. For more information about

VPC, see

Amazon RDS and Amazon Virtual Private Cloud

(VPC) (p. 114)

.

API Version 2014-10-31

22

For this parameter...

DB Subnet Group

Publicly Accessible

Availability Zone

VPC Security Group

Database Name

Database Port

Option Group

Amazon Relational Database Service User Guide

Creating a DB Instance Running Oracle

Parameter Group

Character Set Name

Backup Retention Period

Backup Window

Auto Minor Version Upgrade

Maintenance Window

...Do this:

This setting depends on the platform you are on. If you are a new customer to AWS, choose

default

, which will be the default DB subnet group that was created for your account. If you are creating a DB instance on the previous

E2-Classic platform and you want your DB instance in a specific VPC, choose the DB subnet group you created for

that VPC. For more information about VPC, see Amazon

RDS and Amazon Virtual Private Cloud (VPC) (p. 114) .

Choose

Yes

to give the DB instance a public IP address, meaning that it will be accessible outside the VPC; otherwise, choose

No

, so the DB instance will only be accessible from inside the VPC. For more information about hiding

DB instances from public access, see Hiding a DB instance in a VPC from the Internet .

Use the default of

No Preference

.

If you are a new customer to AWS, choose the default

VPC. If you have created your own VPC security group, choose the VPC security group you previously created.

Type a name for your database that begins with a letter and contains up to 8 alpha-numeric characters. If you do not provide a name, Amazon RDS will not create a database on the DB instance you are creating. The default database name is

ORCL

.

Use the default value of

1521

unless you have a specific port you want to access the database through. Oracle installations default to port 1521, but some firewalls block this port by default. If you are unsure, ask your system administrator what port you should use.

Use the default value of

default.oracle-ee-11.2

.

Choose the default value of

default:oracle-ee-11-2

.

Choose the default value of

AL32UTF8

for the Unicode 5.0

UTF-8 Universal character set. Note that you cannot change the character set after the DB instance is created.

Set the number of days you want automatic backups of your database to be retained. For testing purposes, you can set this value to

1

.

Unless you have a specific time that you want to have your database backup, use the default of

No Preference

.

Choose

Yes

to enable your DB instance to receive minor

DB engine version upgrades automatically when they become available.

Choose the 30 minute window in which pending modifications to your DB instance are applied. If you the time period doesn't matter, choose

No Preference

.

API Version 2014-10-31

23

Amazon Relational Database Service User Guide

Connecting to a DB Instance Running Oracle

9.

On the final page of the wizard, choose Close.

10. On the RDS console, the new DB instance appears in the list of DB instances. The DB instance will have a status of creating until the DB instance is created and ready for use. When the state changes to available, you can connect to the DB instance. Depending on the DB instance class and store allocated, it could take several minutes for the new instance to be available.

Connecting to a DB Instance Running the Oracle

Database Engine

Once Amazon RDS provisions your DB instance, you can use any standard SQL client application to connect to the instance. In this example, you connect to a DB instance running the Oracle database engine using the Oracle command line tools. For more information on using Oracle, go to the Oracle website .

This example uses the Oracle sqlplus command line utility. This utility is part of the Oracle software distribution. To download a stand-alone version of this utility, go to the SQL*Plus User's Guide and

Reference .

1.

Open the RDS console, then choose Instances in the left column to display a list of your DB instances.

2.

Choose the row for your Oracle DB instance to display the summary information for the instance.

3.

The Endpoint field contains part of the connection information for your DB instance. The Endpoint field has two parts separated by a colon (:). The part before the colon is the DNS name for the instance, the part following the colon is the port.

API Version 2014-10-31

24

Amazon Relational Database Service User Guide

Connecting to a DB Instance Running Oracle

4.

Type the following command on one line at a command prompt to connect to a DB instance using the sqlplus utility. The value for

Host

will be the DNS name for your DB instance, the value for

Port will be the port you assigned the DB instance, and the value for the Oracle

SID

will be the name of the DB instance's database that you specified when you created the DB instance, not the name of the DB instance.

PROMPT>sqlplus '[email protected](DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<endpoint>)

(PORT=<port number>))(CONNECT_DATA=(SID=<database name>)))'

You will see output similar to the following.

SQL*Plus: Release 11.1.0.7.0 - Production on Wed May 25 15:13:59 2011

SQL>

API Version 2014-10-31

25

Amazon Relational Database Service User Guide

Deleting a DB Instance

Deleting a DB Instance

Once you have connected to the sample DB instance that you created, you should delete the DB instance so you are no longer charged for it.

To delete a DB instance with no final DB snapshot

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the Instances list, choose the DB instance you wish to delete.

3.

Choose Instance Actions, and then choose Delete from the dropdown menu.

4.

Choose No in the Create final Snapshot? drop-down list box.

5.

Choose Yes, Delete.

Creating a SQL Server DB Instance and

Connecting to a Database on a SQL Server DB

Instance

The easiest way to create a DB instance is to use the RDS console. Once you have created the DB instance, you can use standard SQL Server utilities to connect to the DB instance such as the Microsoft

SQL Server Management Studio utility.

Important

You must complete the tasks in the

Setting Up for Amazon RDS (p. 7)

section before you can create or connect to a DB instance.

Topics

Creating a SQL Server DB Instance (p. 26)

Connecting to a SQL Server DB Instance Using SQL Server Management Studio (p. 33)

Troubleshooting a Connection to a DB Instance Running SQL Server (p. 37)

Deleting a DB Instance (p. 38)

Creating a SQL Server DB Instance

To create a DB instance running the Microsoft SQL Server DB engine

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the top right corner of the Amazon RDS console, choose the region in which you want to create the DB instance.

3.

In the navigation pane, choose Instances.

4.

Choose Launch DB Instance to start the Launch DB Instance Wizard.

The wizard opens on the Select Engine page.

API Version 2014-10-31

26

Amazon Relational Database Service User Guide

Creating a SQL Server DB Instance

5.

In the Launch DB Instance Wizard window, choose the SQL Server icon, then choose Select for the SQL Server version you want to use.

API Version 2014-10-31

27

Amazon Relational Database Service User Guide

Creating a SQL Server DB Instance

6.

On the Production? page, it asks if you are planning to use the DB instance you are creating for production. If you are, choose Yes. By choosing Yes, the failover option Multi-AZ and the Provisioned

IOPS storage option will be preselected in the following step. Choose Next to continue.

7.

On the Specify DB Details page, specify your DB instance information. The following table shows settings for an example DB instance using SQL Server Standard Edition. Choose Next when you are finished.

For this parameter...

License Model

DB Engine Version

DB Instance Class

Multi-AZ Deployment

Storage Type

Allocated Storage

DB Instance Identifier

Master Username

Master Password and Confirm

Password

...Do this:

Select

license-included

to use the general license agreement for Microsoft SQL Server.

Choose the default version of SQL Server.

Choose

db.m1.small

for a configuration that equates to

1.7 GB memory, 1 ECU (1 virtual core with 1 ECU), 64-bit platform, and moderate I/O capacity. For more information

about all the DB instance class options, see DB Instance

Class (p. 104)

.

Choose

No

to create your DB instance in a single availability zone.

Choose the storage type

Magnetic

. For more information

about storage, see Storage for Amazon RDS (p. 120)

.

Type

200

to allocate 200 GB of storage for your database.

In some cases, allocating a higher amount of storage for your DB instance than the size of your database can improve I/O performance. For more information about storage allocation, see Amazon Relational Database Service Features .

Type a name for the DB instance of 15 alphanumeric characters or less that is unique for your account in the region you chose. You can add some intelligence to the name, such as including the region and DB Engine you chose, such as

sqlsv-instance1

.

Type a name that you will use as the master username to log on to your DB Instance with all database privileges.

The master username is a SQL Server Authentication login that is a member of the processadmin, public, and setupadmin fixed server roles.

Type a password that contains from 8 to 128 printable

ASCII characters (excluding /,", and @) for your master user password, and then type it again in the Confirm

Password text box.

API Version 2014-10-31

28

Amazon Relational Database Service User Guide

Creating a SQL Server DB Instance

8.

On the Configure Advanced Settings page, provide additional information that Amazon RDS needs to launch the SQL Server DB instance. The table shows settings for an example DB instance. Specify your DB instance information, then choose Launch DB Instance.

For this parameter...

VPC

...Do this:

This setting depends on the platform you are on. If you are a new customer to AWS, choose the default VPC shown.

If you are creating a DB instance on the previous E2-

Classic platform that does not use a VPC, choose

Not in

VPC

. For more information about VPC, see

Amazon RDS and Amazon Virtual Private Cloud (VPC) (p. 114) .

API Version 2014-10-31

29

Amazon Relational Database Service User Guide

Creating a SQL Server DB Instance

For this parameter...

Subnet Group

Publicly Accessible

Availability Zone

VPC Security Group

Database Port

DB Parameter Group

Option Group

Copy Tags To Snapshots

Enable Encryption

Backup Retention Period

Backup Window

Enable Enhanced Monitoring

Auto Minor Version Upgrade

...Do this:

This setting depends on the platform you are on. If you are a new customer to AWS, choose

default

, which will be the default DB subnet group that was created for your account. If you are creating a DB instance on the previous

E2-Classic platform and you want your DB instance in a specific VPC, choose the DB subnet group you created for

that VPC. For more information about VPC, see Amazon

RDS and Amazon Virtual Private Cloud (VPC) (p. 114) .

Choose

Yes

to give the DB instance a public IP address, meaning that it will be accessible outside the VPC; otherwise, choose

No

, so the DB instance will only be accessible from inside the VPC. For more information about hiding

DB instances from public access, see Hiding a DB instance in a VPC from the Internet .

Use the default value of

No Preference

unless you want to specify an Availability Zone.

If you are a new customer to AWS, choose the default

VPC. Otherwise, choose the VPC security group you previously created.

Leave the default value of

1433

unless you have a specific port you want to access the database through. SQL Server installations default to port 1433, but in some cases a firewall might block this port. If in doubt, ask your network administrator what port you should use.

Use the default value unless you have created your own parameter group.

Use the default value unless you have created your own option group.

Choose this option to have any DB instance tags copied to a DB snapshot when you create a snapshot. For more

information, see Tagging Amazon RDS Resources (p. 664)

.

Choose

Yes

to enable encryption at rest for this DB in-

stance. For more information, see Encrypting Amazon RDS

Resources (p. 145) .

Set the number of days you want automatic backups of your database to be retained. For testing purposes, you can set this value to

1

.

Unless you have a specific time that you want to have your database backup, use the default of

No Preference

.

Choose

Yes

to enable gathering metrics in real time for the operating system that your DB instance runs on. For more information, see

Enhanced Monitoring (p. 769)

.

Choose

Yes

to enable your DB instance to receive minor

DB engine version upgrades automatically when they become available.

API Version 2014-10-31

30

Amazon Relational Database Service User Guide

Creating a SQL Server DB Instance

For this parameter...

Maintenance Window

...Do this:

Choose the 30 minute window in which pending modifications to your DB instance are applied. If you the time period doesn't matter, choose

No Preference

.

API Version 2014-10-31

31

Amazon Relational Database Service User Guide

Creating a SQL Server DB Instance

API Version 2014-10-31

32

Amazon Relational Database Service User Guide

Connecting to a SQL Server DB Instance Using SQL

Server Management Studio

9.

On the final page of the wizard, choose Close.

10. On the RDS console, the new DB instance appears in the list of DB instances. The DB instance will have a status of creating until the DB instance is created and ready for use. When the state changes to available, you can connect to the DB instance. Depending on the DB instance class and store allocated, it could take several minutes for the new instance to be available.

Connecting to a SQL Server DB Instance Using

SQL Server Management Studio

This example uses the Microsoft SQL Server Management Studio utility. This utility is part of the Microsoft

SQL Server software distribution. To download a stand-alone version of this utility, go to the Microsoft

Download Center - Microsoft SQL Server Management Studio Express .

To connect to a DB Instance using Microsoft SQL Server Management Studio

1.

Find the DNS name and port for your DB Instance.

a.

Open the RDS console, then choose Instances in the left column to display a list of your DB instances.

b.

Choose the row for your SQL Server DB instance to display the summary information for the instance.

c.

The Endpoint field has two parts separated by a colon (:). The part before the colon is the DNS name for the instance, the part following the colon is the port.

API Version 2014-10-31

33

Amazon Relational Database Service User Guide

Connecting to a SQL Server DB Instance Using SQL

Server Management Studio

2.

Run Microsoft SQL Server Management Studio.

3.

The Connect to Server dialog box appears.

API Version 2014-10-31

34

Amazon Relational Database Service User Guide

Connecting to a SQL Server DB Instance Using SQL

Server Management Studio

4.

In the Server type: drop-down list box, choose

Database Engine

.

5.

In the Server name: text field, enter or paste the DNS name of the DB Instance running the Microsoft

SQL Server database engine, followed by a comma and then the port number of the DB Instance.

For example, the Server name could be:

sqlsv-instance1.cg034hpkmmjt.us-east-1.rds.amazonaws.com,1433

.

6.

From the Authentication drop-down list box, choose

SQL Server Authentication

.

7.

Enter the master user name for the DB Instance in the Login: text box.

8.

Enter the password for the master user in the Password: text box.

9.

Choose the Connect button.

After a few moments, Microsoft SQL Server Management Studio should be connected to your DB

Instance.

10. Choose the New Query button at the top left of the SQL Server Management Studio window.

A new SQL Query window will open.

API Version 2014-10-31

35

Amazon Relational Database Service User Guide

Connecting to a SQL Server DB Instance Using SQL

Server Management Studio

11. Type the following SQL query: select @@VERSION

12. Choose the ! Execute button on the SQL Enterprise Manager toolbar to run the query.

You should see a version string returned from your Microsoft SQL Server DB Instance displayed in the output window.

API Version 2014-10-31

36

Amazon Relational Database Service User Guide

Troubleshooting a Connection to a DB Instance Running

SQL Server

Troubleshooting a Connection to a DB Instance

Running SQL Server

There are several common causes for problems when trying to connect to a DB instance using SQL

Server Management Studio:

• The access rules enforced by your local firewall and the IP addresses you authorized to access your

DB instance in the instance's security group are not in sync. If you used Microsoft SQL Server

Management Studio and you followed the settings specified in the steps above and you are unable to connect, the problem is most likely the egress or ingress rules on your firewall. For more information

about security groups, see Amazon RDS Security Groups (p. 149) .

• If you cannot send out or receive communications over the port you specified when you created the

DB instance, you will not be able to connect to the DB instance. Check with your network administrator to determine if the port you specified for your DB instance is allowed to be used for inbound and outbound communication.

• For newly created DB instances, you must wait for the DB instance status to be "Available" before you can connect to the instance. Depending on the size of your DB instance, it can take up to 20 minutes before the instance is available.

Here are a few things to check if you know that you can send and receive communications through your firewall for the port you specified when you created the DB instance.

Could not open a connection to SQL Server - Microsoft SQL Server, Error: 53 - You must include the port number when you specify the Server Name when using Microsoft SQL Server Management

Studio. For example, the server name for a DB instance (including the port number) could be:

sqlsvr-pdz.c6c8mdfntzgv0.region.rds.amazonaws.com,1433

.

API Version 2014-10-31

37

Amazon Relational Database Service User Guide

Deleting a DB Instance

No connection could be made because the target machine actively refused it - Microsoft SQL

Server, Error: 10061 - You were able to reach the DB instance but the connection was refused. This is often caused by the user name or password being incorrect.

Deleting a DB Instance

Once you have connected to the sample DB instance that you created, you should delete the DB instance so you are no longer charged for it.

To delete a DB instance with no final DB snapshot

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the Instances list, choose the DB instance you wish to delete.

3.

Choose Instance Actions, and then choose Delete from the dropdown menu.

4.

Choose No in the Create final Snapshot? drop-down list box.

5.

Choose Yes, Delete.

Creating a PostgreSQL DB Instance and

Connecting to a Database on a PostgreSQL DB

Instance

The easiest way to create a DB instance is to use the RDS console. Once you have created the DB instance, you can use standard SQL client utilities to connect to the DB instance such as the pgAdmin utility. In this example, you create a DB instance running the PostgreSQL database engine called west2-postgres1, with a db.m1.small DB instance class, 10 GB of storage, and automated backups enabled with a retention period of one day.

Important

You must complete the tasks in the

Setting Up for Amazon RDS (p. 7)

section before you can create or connect to a DB instance.

Topics

Creating a PostgreSQL DB Instance (p. 38)

Connecting to a PostgreSQL DB Instance (p. 44)

Deleting a DB Instance (p. 47)

Creating a PostgreSQL DB Instance

To create a DB Instance Running the PostgreSQL DB Engine

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the top right corner of the AWS Management Console, choose the region in which you want to create the DB instance.

3.

In the navigation pane, choose Instances.

4.

Choose Launch DB Instance to start the Launch DB Instance Wizard.

The wizard opens on the Select Engine page.

API Version 2014-10-31

38

Amazon Relational Database Service User Guide

Creating a PostgreSQL DB Instance

5.

On the Select Engine page, choose the PostgreSQL icon, and then choose Select.

6.

Next, the Production? page asks if you are planning to use the DB instance you are creating for production. If you are, choose Yes. By choosing Yes, the failover option Multi-AZ and the Provisioned

IOPS storage option will be preselected in the following step. Choose Next when you are finished.

7.

On the Specify DB Details page, specify your DB instance information. Choose Next when you are finished.

For this parameter...

License Model

DB Engine Version

DB Instance Class

Multi-AZ Deployment

...Do this:

PostgreSQL has only one license model. Choose

postgresql-license

to use the general license agreement for

PostgreSQL.

Choose the version of PostgreSQL you want to use.

Choose

db.m1.small

for a configuration that equates to

1.7 GB memory, 1 ECU (1 virtual core with 1 ECU), 64-bit platform, and moderate I/O capacity. For more information

about all the DB instance class options, see DB Instance

Class (p. 104)

.

Choose

No

to create your DB instance in a single availability zone . For more information about multiple Availability

Zones, see Regions and Availability Zones (p. 111)

.

API Version 2014-10-31

39

Storage Type

DB Instance Identifier

Master Password and Confirm

Password

Amazon Relational Database Service User Guide

Creating a PostgreSQL DB Instance

For this parameter...

Allocated Storage

Master Username

Enable Encryption

...Do this:

Type

5

to allocate 5 GB of storage for your database. In some cases, allocating a higher amount of storage for your

DB instance than the size of your database can improve

I/O performance. For more information about storage allocation, see Amazon Relational Database Service Features .

Choose the storage type

Magnetic

. For more information

about storage, see Storage for Amazon RDS (p. 120)

.

Type a name for the DB instance that is unique for your account in the region you chose. You can add some intelligence to the name, such as including the region and DB engine you chose, for example

postgreSQL-test

.

Type a name using alphanumeric characters that you will use as the master user name to log on to your DB instance.

For information on the default privileges granted to the

master user name, see Amazon RDS PostgreSQL Planning

Information (p. 452)

Type a password that contains from 8 to 128 printable

ASCII characters (excluding /,", and @) for your master password, then type the password again in the Confirm

Password text box.

Choose

Yes

to enable encryption at rest for this DB in-

stance. For more information, see Encrypting Amazon RDS

Resources (p. 145) .

API Version 2014-10-31

40

Amazon Relational Database Service User Guide

Creating a PostgreSQL DB Instance

8.

On the Configure Advanced Settings page, provide additional information that RDS needs to launch the PostgreSQL DB instance. The table shows settings for an example DB instance. Specify your

DB instance information, then choose Launch DB Instance.

API Version 2014-10-31

41

For this parameter...

VPC

DB Subnet Group

Publicly Accessible

Availability Zone

VPC Security Group

Database Name

Database Port

Amazon Relational Database Service User Guide

Creating a PostgreSQL DB Instance

Parameter Group

Option Group

Backup Retention Period

Backup Window

Auto Minor Version Upgrade

Maintenance Window

...Do this:

This setting depends on the platform you are on. If you are a new customer to AWS, choose the default VPC shown.

If you are creating a DB instance on the previous E2-

Classic platform that does not use a VPC, choose

Not in

VPC

. For more information about VPC, see

Amazon RDS and Amazon Virtual Private Cloud (VPC) (p. 114) .

This setting depends on the platform you are on. If you are a new customer to AWS, choose

default

, which will be the default DB subnet group that was created for your account. If you are creating a DB instance on the previous

E2-Classic platform and you want your DB instance in a specific VPC, choose the DB subnet group you created for

that VPC. For more information about VPC, see Amazon

RDS and Amazon Virtual Private Cloud (VPC) (p. 114) .

Choose

Yes

to give the DB instance a public IP address, meaning that it will be accessible outside the VPC; otherwise, choose

No

, so the DB instance will only be accessible from inside the VPC. For more information about hiding

DB instances from public access, see Hiding a DB instance in a VPC from the Internet .

Use the default value of

No Preference

unless you want to specify an Availability Zone.

If you are a new customer to AWS, choose the default

VPC. If you created a VPC security group, choose the VPC security group you previously created.

Type a name for your database of up to 63 alpha-numeric characters. If you do not provide a name, the default

"postgres" database is created.

Specify a port you want to use to access the database.

PostgreSQL installations default to port 5432.

Use the default value unless you have created your own parameter group.

Use the default value unless you have created your own option group.

Set the number of days you want automatic backups of your database to be retained. For testing purposes, you can set this value to

1

.

Unless you have a specific time that you want to have your database backup, use the default of

No Preference

.

Choose

Yes

to enable your DB instance to receive minor

DB engine version upgrades automatically when they become available.

Choose the 30 minute window in which pending modifications to your DB instance are applied. If you the time period doesn't matter, choose

No Preference

.

API Version 2014-10-31

42

Amazon Relational Database Service User Guide

Creating a PostgreSQL DB Instance

API Version 2014-10-31

43

Amazon Relational Database Service User Guide

Connecting to a PostgreSQL DB Instance

9.

On the final page of the wizard, choose Close.

10. On the Amazon RDS console, the new DB instance appears in the list of DB instances. The DB instance will have a status of creating until the DB instance is created and ready for use. When the state changes to available, you can connect to the DB instance. Depending on the DB instance class and store allocated, it could take several minutes for the new instance to be available.

Connecting to a PostgreSQL DB Instance

After Amazon RDS provisions your DB instance, you can use any standard SQL client application to connect to the instance. It is important to note that the security group you assigned to the DB instance when you created it must allow access to the DB instance. If you have difficulty connecting to the DB instance, the problem is most often with the access rules you set up in the security group you assigned to the DB instance.

This section shows two ways to connect to a PostgreSQL DB instance. The first example uses pgAdmin, a popular Open Source administration and development tool for PostgreSQL. You can download and use pgAdmin without having a local instance of PostgreSQL on your client computer. The second example uses psql, a command line utility that is part of a PostgreSQL installation. To use psql, you must have a

PostgreSQL installed on your client computer or have installed the psql client on your machine.

In this example, you connect to a PostgreSQL DB instance using pgAdmin.

Using pgAdmin to Connect to a PostgreSQL DB Instance

To connect to a PostgreSQL DB instance using pgAdmin

1.

Launch the pgAdmin application on your client computer. You can install pgAdmin from http:// www.pgadmin.org/ .

2.

Choose Add Server from the File menu.

3.

In the New Server Registration dialog box, enter the DB instance endpoint (for example, mypostgresql.c6c8dntfzzhgv0.us-west-2.rds.amazonaws.com) in the Host text box. Do not include the colon or port number as shown on the Amazon RDS console

(mypostgresql.c6c8dntfzzhgv0.us-west-2.rds.amazonaws.com:5432).

Enter the port you assigned to the DB instance into the Port text box. Enter the user name and user password you entered when you created the DB instance into the Username and Password text boxes, respectively.

API Version 2014-10-31

44

Amazon Relational Database Service User Guide

Connecting to a PostgreSQL DB Instance

4.

Choose OK.

5.

In the Object browser, expand the Server Groups. Choose the Server (the DB instance) you created, and then choose the database name.

API Version 2014-10-31

45

Amazon Relational Database Service User Guide

Connecting to a PostgreSQL DB Instance

6.

Choose the plugin icon and choose PSQL Console. The psql command window opens for the default database you created.

API Version 2014-10-31

46

Amazon Relational Database Service User Guide

Deleting a DB Instance

7.

Use the command window to enter SQL or psql commands. Type

\q

to close the window.

Using psql to Connect to a PostgreSQL DB Instance

If your client computer has PostgreSQL installed, you can use a local instance of psql to connect to a

PostgreSQL DB instance. To connect to your PostgreSQL DB instance using psql, you need to provide host information and access credentials.

The following format is used to connect to a PostgreSQL DB instance on Amazon RDS: psql --host=<DB instance endpoint> --port=<port> --username=<master user name>

--password --dbname=<database name>

For example, the following command connects to a database called mypgdb

on a PostgreSQL DB instance called mypostgresql

using fictitious credentials: psql --host=mypostgresql.c6c8mwvfdgv0.us-west-2.rds.amazonaws.com --port=5432

--username=awsuser --password --dbname=mypgdb

Troubleshooting Connection Issues

By far the most common problem that occurs when attempting to connect to a database on a DB instance is the access rules in the security group assigned to the DB instance. If you used the default DB security group when you created the DB instance, chances are good that the security group did not have the rules that will allow you to access the instance. For more information about Amazon RDS security groups, see

Amazon RDS Security Groups (p. 149)

The most common error is could not connect to server: Connection timed out. If you receive this error, check that the host name is the DB instance endpoint and that the port number is correct. Check that the security group assigned to the DB instance has the necessary rules to allow access through any firewall your connection may be going through.

Deleting a DB Instance

Once you have connected to the sample DB instance that you created, you should delete the DB instance so you are no longer charged for it.

To delete a DB instance with no final DB snapshot

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the Instances list, choose the DB instance you wish to delete.

3.

Choose Instance Actions, and then choose Delete from the dropdown menu.

4.

Choose No in the Create final Snapshot? drop-down list box.

5.

Choose Yes, Delete.

API Version 2014-10-31

47

Amazon Relational Database Service User Guide

Creating a DB Cluster and Connecting to a Database on an Amazon Aurora DB Instance

Creating a DB Cluster and Connecting to a

Database on an Amazon Aurora DB Instance

The easiest way to create an Amazon Aurora DB cluster is to use the Amazon RDS console. Once you have created the DB cluster, you can use standard MySQL utilities such as MySQL Workbench to connect to a database on the DB cluster.

Important

You must complete the tasks in the

Setting Up for Amazon RDS (p. 7)

section before you can create or connect to a DB cluster.

Topics

Create a DB Cluster (p. 48)

Connect to an Instance in a DB Cluster (p. 52)

Delete the Sample DB Cluster, DB Subnet Group, and VPC (p. 53)

Create a DB Cluster

Before you create a DB cluster, you must first have an Amazon Virtual Private Cloud (VPC) and an

Amazon RDS DB subnet group. Your VPC must have at least two subnets in at least two Availability

Zones.You can use the default VPC for your AWS account, or you can create your own VPC. The Amazon

RDS console makes it easy for you to create your own VPC for use with Amazon Aurora or use an existing

VPC with your Aurora DB cluster.

If you want to create a VPC and DB subnet group for use with your Amazon Aurora DB cluster yourself, rather than having Amazon RDS create the VPC and DB subnet group for you, then follow the instructions in

How to Create a VPC for Use with Amazon Aurora (p. 515) . Otherwise, follow the instructions in this

topic to create your DB cluster and have Amazon RDS create a VPC and DB subnet group for you.

Note

All VPC and Amazon EC2 resources that you use with your Amazon Aurora DB cluster must and must reside in the US East (N. Virginia), US West (Oregon), or EU (Ireland) regions.

To launch an Aurora DB cluster

1. Open the Amazon RDS for Aurora console at https://console.aws.amazon.com/rds .

2. In the top-right corner of the AWS Management Console, choose the region that you want to create your DB cluster in. This example uses the US East (N. Virginia) region. Amazon Aurora is only available in the US East (N. Virginia) (us-east-1), US West (Oregon) (us-west-2), EU (Ireland) (eu-west-1), Asia

Pacific (Tokyo) (ap-northeast-1), Asia Pacific (Sydney) (ap-southeast-2), or Asia Pacific (Seoul)

(ap-northeast-2) regions.

3. In the left navigation pane, choose Instances.

4. Choose Launch DB Instance to start the Launch DB Instance Wizard. The wizard opens on the Select

Engine page.

5. On the Select Engine page, choose the Select button for the Aurora DB engine.

API Version 2014-10-31

48

Amazon Relational Database Service User Guide

Create a DB Cluster

6. Set the following values on the Specify DB Details page:

DB Instance Class: db.r3.large

DB Instance Identifier: gs-db-instance1

Master Username: Using alphanumeric characters, type a master user name, used to log on to your DB instances in the DB cluster.

Master Password and Confirm Password: Type a password in the Master Password box that contains from 8 to 41 printable ASCII characters (excluding /,", and @) for your master user password, used to log on to your database. Then type the password again in the Confirm Password box.

API Version 2014-10-31

49

Amazon Relational Database Service User Guide

Create a DB Cluster

7. Choose Next and set the following values on the Configure Advanced Settings page:

VPC ID: If you have an existing VPC, then you can use that VPC with your Amazon Aurora DB cluster by choosing your VPC identifier, for example vpc-a464d1c1

. For information on using an existing VPC, see

How to Create a VPC for Use with Amazon Aurora (p. 515) .

Otherwise, you can choose to have Amazon RDS create a VPC for you by choosing Create a new

VPC. This example uses the Create a new VPC option.

Subnet Group: If you have an existing subnet group, then you can use that subnet group with your

Amazon Aurora DB cluster by choosing your subnet group identifier, for example, gs-subnet-group1

.

Otherwise, you can choose to have Amazon RDS create a subnet group for you by choosing Create

a new subnet group. This example uses the Create a new subnet group option.

Publicly Accessible:

Yes

Note

Your production DB cluster might not need to be in a public subnet, because only your application servers will require access to your DB cluster. If your DB cluster doesn't need to be in a public subnet, set Publicly Accessible to

No

.

Availability Zone:

No Preference

VPC Security Group(s): If you have one or more existing VPC security groups, then you can use one or more of those VPC security groups with your Amazon Aurora DB cluster by choosing your

VPC security group identifiers, for example, gs-security-group1

.

Otherwise, you can choose to have Amazon RDS create a VPC security group for you by choosing

Create a new Security group. This example uses the Create a new Security group option.

API Version 2014-10-31

50

Amazon Relational Database Service User Guide

Create a DB Cluster

DB Cluster Identifier: gs-db-cluster1

Database Name: sampledb

Database Port:

3306

Note

You might be behind a corporate firewall that does not allow access to default ports such as the MySQL default port, 3306. In this case, provide a port value that your corporate firewall allows. Remember that port value later when you connect to the Aurora DB cluster.

API Version 2014-10-31

51

Amazon Relational Database Service User Guide

Connect to an Instance in a DB Cluster

8. Leave the rest of the values as their defaults, and choose Launch DB Instance to create the DB cluster and primary instance.

Connect to an Instance in a DB Cluster

Once Amazon RDS provisions your DB cluster and creates the primary instance, you can use any standard

SQL client application to connect to a database on the DB cluster. In this example, you connect to a database on the DB cluster using MySQL monitor commands. One GUI-based application that you can use to connect is MySQL Workbench. For more information, go to the Download MySQL Workbench page.

To connect to a database on a DB cluster using the MySQL monitor

1. Open the Amazon RDS for Aurora console at https://console.aws.amazon.com/rds .

2. Choose Clusters and choose the DB cluster from the list to show the DB cluster details. On the details page, copy the value for the endpoint. This endpoint is the cluster endpoint.

3. Type the following command at a command prompt on a client computer to connect to a database on a DB cluster using the MySQL monitor. Use the cluster endpoint to connect to the primary instance, and the master user name that you created previously (you will be prompted for a password). If you supplied a port value other than 3306, use that for the

-P

parameter instead.

PROMPT> mysql -h <endpoint> -P 3306 -u <mymasteruser> -p

API Version 2014-10-31

52

Amazon Relational Database Service User Guide

Delete the Sample DB Cluster, DB Subnet Group, and

VPC

You will see output similar to the following.

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 350

Server version: 5.1.32-log MySQL Community Server (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

Delete the Sample DB Cluster, DB Subnet Group, and VPC

Once you have connected to the sample DB cluster that you created, you can delete the DB cluster, DB subnet group, and VPC (if you created a VPC).

To delete a DB cluster

1. Open the Amazon RDS for Aurora console at https://console.aws.amazon.com/rds .

2. Choose Instances and then choose the gs-db-instance1

DB instance.

3. Choose Instance Actions, and then choose Delete on the dropdown menu.

4. Choose Yes, Delete.

To delete a DB subnet group

1. Open the Amazon RDS for Aurora console at https://console.aws.amazon.com/rds .

2. Choose Subnet Groups and then choose the gs-subnet-group1

DB subnet group.

3. Choose Delete.

4. Choose Yes, Delete.

To delete a VPC

1. Sign in to the AWS Management Console and open the Amazon VPC console at https:// console.aws.amazon.com/vpc/ .

2. Choose Your VPCs and then choose the VPC that was created for this procedure.

3. Choose Delete.

4. Choose Yes, Delete.

Creating a MariaDB DB Instance and Connecting to a Database on a MariaDB DB Instance

The easiest way to create a MariaDB DB instance is to use the Amazon RDS console. Once you have created the DB instance, you can use command line tools such as mysql

or standard graphical tools such as HeidiSQL to connect to a database on the DB instance.

Important

You must complete the tasks in the

Setting Up for Amazon RDS (p. 7)

section before you can create or connect to a DB instance.

API Version 2014-10-31

53

Amazon Relational Database Service User Guide

Creating a MariaDB Instance

Topics

Creating a MariaDB Instance (p. 54)

Connecting to a Database on a DB Instance Running the MariaDB Database Engine (p. 59)

Deleting a DB Instance (p. 59)

Creating a MariaDB Instance

The basic building block of Amazon RDS is the DB instance. This environment is where you will run your

MariaDB databases.

In this example, you create a DB instance running the MariaDB database engine called

east1-mariadb-instance1, with a db.t2.small DB instance class, 5 GB of storage, and automated backups enabled with a retention period of one day.

To create a MariaDB DB instance

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the top right corner of the Amazon RDS console, choose the region in which you want to create the DB instance.

3.

In the navigation pane, choose Instances.

4.

Choose Launch DB Instance. The Launch DB Instance Wizard opens on the Select Engine page.

API Version 2014-10-31

54

Amazon Relational Database Service User Guide

Creating a MariaDB Instance

5.

On the Select Engine page, choose the MariaDB icon, and then choose Select for the MariaDB engine.

6.

Next, the Production? page asks if you plan to use the DB instance you are creating for production.

Because this is an example instance, choose No. When you are finished, choose Next.

Note

If you create a production instance, you typically choose Yes on this page to enable the failover option Multi-AZ and the Provisioned IOPS storage option.

7.

On the Specify DB Details page, specify your DB instance information. The following table shows settings for an example DB instance. When the settings are as you want them, choose Next.

For This Parameter

License Model

DB Engine Version

DB Instance Class

Multi-AZ Deployment

Storage Type

Allocated Storage

DB Instance Identifier

Master Username

Master Password and Confirm

Password

Do This:

Choose the default, general-public-license, to use the

GNU General Public License, version 2 for MariaDB.

MariaDB has only one license model.

Choose version 10.0.17 of MariaDB.

Choose db.t2.small for a configuration that equates to 2

GB memory, 1 ECU (1 virtual core with 1 ECU), 64-bit platform, and moderate I/O capacity.

Choose No to create your example DB instance in a single

Availability Zone.

Note

You usually choose Yes for production instances to enable instance failover and maintain high availability.

Choose the storage type Magnetic. For more information

about storage, see Storage for Amazon RDS (p. 120)

.

Type

5

to allocate 5 GB of storage for your database. In some cases, allocating a higher amount of storage for your

DB instance than the size of your database can improve

I/O performance. For more information about storage allocation, see Amazon Relational Database Service Features .

Type a name for the DB instance that is unique for your account in the region you chose. You can add some intelligence to the name, such as including the region and DB engine you chose, for example

east1-mariadb-instance1

.

Type a name using 1-16 alphanumeric characters that you will use as the master user name to log on to your DB instance.You'll use this user name to log on to your database on the DB instance for the first time.

Type a password that contains from 8 to 41 printable ASCII characters (excluding /,", and @) for your master user password. You'll use this password with the user name when you log on to your database. Type the password again in the Confirm Password text box.

API Version 2014-10-31

55

Amazon Relational Database Service User Guide

Creating a MariaDB Instance

8.

On the Configure Advanced Settings page, provide additional information that RDS needs to launch the MariaDB DB instance. The table shows settings for an example DB instance. Specify your DB instance information, then choose Launch DB Instance.

For This Parameter...

VPC

Availability Zone

Do This:

Choose the name of the Amazon Virtual Private Cloud

(Amazon VPC) that will host your MariaDB DB instance.

For more information about using VPC, see

Amazon RDS and Amazon Virtual Private Cloud (VPC) (p. 114) .

Determine if you want to specify a particular Availability

Zone. For more information about Availability Zones, see

Regions and Availability Zones (p. 111)

.

API Version 2014-10-31

56

Database Port

Amazon Relational Database Service User Guide

Creating a MariaDB Instance

For This Parameter...

VPC Security Groups

Database Name

DB Parameter Group

Option Group

Enable Encryption

Backup Retention Period

Backup Window

Enable Enhanced Monitoring

Auto Minor Version Upgrade

Maintenance Window

Do This:

Choose the VPC security group you want to use with this

DB instance. For more information about VPC security groups, go to Security Groups for Your VPC in the Amazon

Virtual Private Cloud User Guide.

Type a database name that is 1 to 64 alphanumeric characters. If you don't provide a name, Amazon RDS won't automatically create a database on the DB instance you are creating.

Leave the default value of 3306 unless you have a specific port you want to access the database through. MariaDB installations default to port 3306.

Accept the default value of default.mariadb10.0 unless you created your own DB parameter group. For more in-

formation about parameter groups, see Working with DB

Parameter Groups (p. 724)

.

Accept the default value of default.mariadb-10-0.

Choose No.

Note

You usually choose Yes for production instances to enable encryption at rest for this DB instance.

For more information, see

Encrypting Amazon

RDS Resources (p. 145) .

Set the number of days you want automatic backups of your database to be retained. For testing purposes, you can set this value to 1.

Unless you have a specific time that you want to have your database back up, use the default of No Preference.

Unless you want to enable gathering metrics in real time for the operating system that your DB instance runs on, use the default of No.

Choose Yes to enable your DB instance to receive minor

DB engine version upgrades automatically when they become available.

Choose the 30 minute window in which pending modifications to your DB instance are applied. If the time period doesn't matter, choose No Preference.

API Version 2014-10-31

57

Amazon Relational Database Service User Guide

Creating a MariaDB Instance

9.

On the RDS console, the new DB instance appears in the list of DB instances. The DB instance will have a status of creating until the DB instance is created and ready for use. When the state changes to available, you can connect to a database on the DB instance. Depending on the DB instance class and store allocated, it can take several minutes for the new DB instance to become available.

API Version 2014-10-31

58

Amazon Relational Database Service User Guide

Connecting to a Database on a DB Instance Running

MariaDB

Connecting to a Database on a DB Instance

Running the MariaDB Database Engine

Once Amazon RDS provisions your DB instance, you can use any standard SQL client application to connect to a database on the DB instance. In this example, you connect to a database on a MariaDB DB instance using the mysql

command-line tool. One GUI-based application you can use to connect is

HeidiSQL; for more information, go to the Download HeidiSQL page. For more information on using

MariaDB, go to the MariaDB documentation .

To connect to a database on a DB instance using the mysql

command-line tool

Type the following command at a command prompt on a client computer to connect to a database on a

MariaDB DB instance. Substitute the DNS name for your DB instance for

<endpoint>

, the master user name you used for

<mymasteruser>

, and provide the master password you used when prompted for a password.

PROMPT> mysql -h <endpoint> -P 3306 -u <mymasteruser> -p <master password>

You will see output similar to the following.

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 272

Server version: 5.5.5-10.0.17-MariaDB-log MariaDB Server

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql >

Deleting a DB Instance

Once you have connected to the sample DB instance that you created, you should delete the DB instance so you are no longer charged for it.

API Version 2014-10-31

59

Amazon Relational Database Service User Guide

Deleting a DB Instance

To delete a DB instance with no final DB snapshot

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

For Instances, choose the DB instance you want to delete.

3.

For Instance Actions, choose Delete.

4.

For Create final Snapshot?, choose No.

5.

Choose Yes, Delete.

API Version 2014-10-31

60

Amazon Relational Database Service User Guide

Restore a DB Instance from a DB Snapshot

Tutorials

The following tutorials show you how to perform common tasks that use Amazon RDS.

Topics

Tutorial: Restore a DB Instance from a DB Snapshot (p. 61)

Tutorial: Create an Amazon VPC for Use with an Amazon RDS DB Instance (p. 67)

Tutorial: Create a Web Server and an Amazon RDS Database (p. 76)

For videos, see AWS Instructional Videos and Labs .

Tutorial: Restore a DB Instance from a DB

Snapshot

A common scenario when working with Amazon RDS is to have a DB instance that you work with occasionally but that you don't need full time. For example, you might have a quarterly customer survey that uses an Amazon Elastic Compute Cloud (Amazon EC2) instance to host a customer survey website and a DB instance that is used to store the survey results. One way to save money on such a scenario is to take a DB snapshot of the DB instance after the survey is completed, delete the DB instance, and then restore the DB instance when you need to conduct the survey again.

In the following illustration, you can see a possible scenario where an EC2 instance hosting a customer survey website is in the same Amazon Virtual Private Cloud (Amazon VPC) as a DB instance that retains the customer survey data. Note that each instance has its own security group; the EC2 instance security group allows access from the Internet while the DB instance security group allows access only to and from the EC2 instance. When the survey is done, the EC2 instance can be stopped and the DB instance can be deleted after a final DB snapshot is created. When you need to conduct another survey, you can restart the EC2 instance and restore the DB instance from the DB snapshot.

API Version 2014-10-31

61

Amazon Relational Database Service User Guide

Prerequisites for Restoring a DB Instance from a DB

Snapshot

For information about how to set up the needed VPC security groups for this scenario that allows the

EC2 instance to connect with the DB instance, see A DB Instance in a VPC Accessed by an EC2 Instance in the Same VPC (p. 157)

.

You must create a DB snapshot before you can restore a DB instance from one. When you restore the

DB instance, you provide the name of the DB snapshot to restore from, and then provide a name for the new DB instance that is created from the restore operation. You cannot restore from a DB snapshot to an existing DB instance; a new DB instance is created when you restore.

Prerequisites for Restoring a DB Instance from a

DB Snapshot

Some settings on the restored DB instance are reset when the instance is restored, so you must retain the original resources to be able to restore the DB instance to its previous settings. For example, when you restore a DB instance from a DB snapshot, the default DB parameter and a default security group are associated with the restored instance. That association means that the default security group does not allow access to the DB instance, and no custom parameter settings are available in the default parameter group. You need to retain the DB parameter group and security group associated with the DB instance that was used to create the DB snapshot.

The following are required before you can restore a DB instance from a DB snapshot:

• You must have created a DB snapshot of a DB instance before you can restore a DB instance from

that DB snapshot. For more information about creating a DB snapshot, see Creating a DB

Snapshot (p. 678)

.

• You must retain the parameter group and security group associated with the DB instance you created the DB snapshot from.

• You must retain the VPC where the DB instance you made the DB snapshot from was located.

• You need to determine the correct option group for the restored DB instance:

• The option group associated with the DB snapshot that you restore from is associated with the restored DB instance once it is created. For example, if the DB snapshot you restore from uses

Oracle Transparent Data Encryption (TDE), the restored DB instance uses the same option group, which had the TDE option.

API Version 2014-10-31

62

Amazon Relational Database Service User Guide

Steps for Restoring a DB Instance from a DB Snapshot

• You cannot use the option group associated with the original DB instance if you attempt to restore that instance into a different VPC or into a different platform. This restriction occurs because when an option group is assigned to a DB instance, it is also linked to the platform that the DB instance is on, either VPC or EC2-Classic (non-VPC). If a DB instance is in a VPC, the option group associated with the instance is linked to that VPC.

• If you restore a DB instance into a different VPC or onto a different platform, you must either assign the default option group to the instance, assign an option group that is linked to that VPC or platform, or create a new option group and assign it to the DB instance. Note that with persistent or permanent options, such as Oracle TDE, you must create a new option group that includes the persistent or permanent option when restoring a DB instance into a different VPC. For more information about

working with option groups, see Working with Option Groups (p. 702) .

Steps for Restoring a DB Instance from a DB

Snapshot

When you restore from a DB snapshot, you must first create the new DB instance as described following.

You can restore to a different edition of the DB engine when restoring from a DB snapshot, but only if the

DB snapshot has the required storage allocated for the new edition. For example, to change from Microsoft

SQL Server Web Edition to SQL Server Standard Edition, the DB snapshot must have been created from a SQL Server DB instance that had at least 200 GB of allocated storage, which is the minimum allocated storage for SQL Server Standard edition.

After restoring the DB instance, you need to modify the new DB instance to use the parameter and security group that were associated with the DB instance that the DB snapshot was created from. This functionality is because when you restore a DB instance, only the default DB parameter and default security groups are associated with the restored instance. The default security group does not allow any access to your

DB instance, and the default parameter group does not have any custom parameter settings. To provide access and add custom parameter settings, you must modify the restored instance as described in

Modifying a Restored DB Instance (p. 64) .

You can use the procedure following to restore from a snapshot in the AWS Management Console.

AWS Management Console

To restore a DB instance from a DB snapshot

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the navigation pane, choose Snapshots.

3.

Choose the DB snapshot that you want to restore from.

API Version 2014-10-31

63

Amazon Relational Database Service User Guide

Steps for Restoring a DB Instance from a DB Snapshot

4.

Choose Restore Snapshot.

The Restore DB Instance window appears.

5.

For DB Instance Identifier, type the name you want to use for the restored DB instance. If you are restoring from a DB instance that you deleted after you made the DB snapshot, you can use the name of that DB instance.

6.

Choose Restore DB Instance.

Modifying a Restored DB Instance

As soon as the restore operation is complete, you should associate the custom security group used by the instance you restored from with any applicable custom DB parameter group that you might have.

Only the default DB parameter and security groups are associated with the restored instance. If you want to restore the functionality of the DB instance to that of the DB instance that the snapshot was created from, you must modify the DB instance to use the security group and parameter group used by the previous

DB instance.

You must apply any changes explicitly using the RDS console's Modify command, the

ModifyDBInstance

API, or the aws rds modify-db-instance

command line tool, once the DB instance is available. We recommend that you retain parameter groups for any DB snapshots you have so that you can associate a restored instance with the correct parameter file.

You can modify other settings on the restored DB instance. For example, you can use a different storage type than the source DB snapshot. In this case the restoration process is slower because of the additional work required to migrate the data to the new storage type. In the case of restoring to or from Magnetic

(Standard) storage, the migration process is the slowest, because Magnetic storage does not have the

IOPS capability of Provisioned IOPS or General Purpose (SSD) storage.

The next steps assume that your DB instance is in a VPC. If your DB instance is not in a VPC, use the

AWS Management Console to locate the DB security group you need for the DB instance.

To modify a restored DB instance to have the settings of the original DB instance

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

API Version 2014-10-31

64

Amazon Relational Database Service User Guide

Steps for Restoring a DB Instance from a DB Snapshot

2.

In the navigation pane, choose Instances.

3.

Select the DB instance created when you restored from the DB snapshot. There are two things to notice here: The security group assigned to the DB instance is the default security group that allows no access, and the warning message shows that there are currently no permissions that allow inbound access.

4.

Choose Instance Actions, and then choose Modify.

5.

Select the security group that you want to use for your DB instance. If you need to add rules to create

a new security group to use with an EC2 instance, see A DB Instance in a VPC Accessed by an EC2

Instance in the Same VPC (p. 157) for more information.

API Version 2014-10-31

65

Amazon Relational Database Service User Guide

Steps for Restoring a DB Instance from a DB Snapshot

6.

Choose Apply Immediately (at the bottom of the page).

7.

Choose Continue, and then choose Modify DB Instance.

Notice that the new security group has been applied, and that the DB instance is now authorized for access.

API Version 2014-10-31

66

Amazon Relational Database Service User Guide

Create an Amazon VPC for Use with an Amazon RDS

DB Instance

Tutorial: Create an Amazon VPC for Use with an

Amazon RDS DB Instance

A common scenario includes an Amazon RDS DB instance in an Amazon VPC, that shares data with a

Web server that is running in the same VPC. In this tutorial you create the VPC for this scenario.

The following diagram shows this scenario. For information about other scenarios, see Scenarios for

Accessing a DB Instance in a VPC (p. 157)

.

API Version 2014-10-31

67

Amazon Relational Database Service User Guide

Create a VPC with Private and Public Subnets

Because your Amazon RDS DB instance only needs to be available to your web server, and not to the public Internet, you create a VPC with both public and private subnets. The web server is hosted in the public subnet, so that it can reach the public Internet. The Amazon RDS DB instance is hosted in a private subnet. The web server is able to connect to the Amazon RDS DB instance because it is hosted within the same VPC, but the Amazon RDS DB instance is not available to the public Internet, providing greater security.

Use the following procedures to create a VPC with both public and private subnets, and corresponding security groups.

Create a VPC with Private and Public Subnets

To create a VPC and subnets

1.

Sign in to the AWS Management Console and open the Amazon VPC console at https:// console.aws.amazon.com/vpc/ .

2.

In the top-right corner of the AWS Management Console, choose the region to create your VPC in.

This example uses the US West (Oregon) region.

3.

In the upper-left corner, choose VPC Dashboard. To begin creating a VPC, choose Start VPC

Wizard.

4.

On the Step 1: Select a VPC Configuration page, choose VPC with Public and Private Subnets, and then choose Select.

5.

On the Step 2: VPC with Public and Private Subnets page, shown following, set these values:

IP CIDR block:

10.0.0.0/16

VPC name: tutorial-vpc

Public subnet:

10.0.0.0/24

Availability Zone (public subnet): us-west-2a

Public subnet name:

Tutorial public

Private subnet:

10.0.1.0/24

Availability Zone (private subnet): us-west-2a

Private subnet name:

Tutorial Private 1

API Version 2014-10-31

68

Amazon Relational Database Service User Guide

Create a VPC with Private and Public Subnets

Note

We will add a second private subnet later,

Tutorial Private 2

.

Instance type: t2.micro

Note

If you do not see the Instance type box in the console, choose Use a NAT instance

instead.

Key pair name:

No key pair

Subnet:

None

Enable DNS hostnames:

Yes

Hardware tenancy:

Default

API Version 2014-10-31

69

Amazon Relational Database Service User Guide

Create a VPC with Private and Public Subnets

6.

When you're finished, choose Create VPC.

To create an additional subnet

You must have either two private subnets or two public subnets available to create an Amazon RDS DB subnet group for an RDS DB instance to use in a VPC. Because the RDS DB instance for this tutorial is private, add a second private subnet to the VPC before creating a subnet group.

1.

Sign in to the AWS Management Console and open the Amazon VPC console at https:// console.aws.amazon.com/vpc/ .

API Version 2014-10-31

70

Amazon Relational Database Service User Guide

Create a VPC with Private and Public Subnets

2.

To add the second private subnet to your VPC, choose VPC Dashboard, choose Subnets, and then choose Create Subnet.

3.

On the Create Subnet page, shown following, set these values:

Name tag:

Tutorial private 2

VPC: Choose the VPC that you created in the previous step, for example: vpc-f1b76594

(10.0.0.0/16) | tutorial-vpc

Availability Zone: us-west-2b

Note

Choose an Availability Zone different from the one that you chose for the first private subnet.

CIDR block:

10.0.2.0/24

4.

When you're finished, choose Yes, Create.

5.

To ensure that the second private subnet that you created uses the same route table as the first private subnet, choose VPC Dashboard, choose Subnets, and then choose the first private subnet that was created for the VPC,

Tutorial private 1

.

6.

Below the list of subnets, choose the Route Table tab, shown following, and note the Current Route

Table value, for example: rtb-98b613fd

.

API Version 2014-10-31

71

Amazon Relational Database Service User Guide

Create a VPC Security Group for a Public Web Server

7.

In the list of subnets, choose the second private subnet

Tutorial private 2

, and choose the

Route Table tab, shown following.

8.

If the current route table is not the same as the route table for the first private subnet, then choose

Edit. For Change to, choose the route table that you noted in a previous step, for example: rtb-98b613fd

.

9.

To save your selection, choose Save.

Create a VPC Security Group for a Public Web

Server

Next you create a security group for public access. To connect to public instances in your VPC, you add inbound rules to your VPC security group that allow traffic to connect from the internet.

API Version 2014-10-31

72

Amazon Relational Database Service User Guide

Create a VPC Security Group for a Public Web Server

To create a VPC security group

1.

Sign in to the AWS Management Console and open the Amazon VPC console at https:// console.aws.amazon.com/vpc/ .

2.

Choose VPC Dashboard, choose Security Groups, and then choose Create Security Group.

3.

On the Create Security Group page, shown following, set these values:

Name tag: tutorial-securitygroup

Group name: tutorial-securitygroup

Description:

Tutorial Security Group

VPC: Choose the VPC that you created earlier, for example: vpc-f1b76594 (10.0.0.0/16)

| tutorial-vpc

4.

To create the security group, choose Yes, Create.

To add inbound rules to the security group

1.

Determine the IP address that you will use to connect to instances in your VPC. To determine your public IP address, you can use the service at http://checkip.amazonaws.com

. If you are connecting through an Internet service provider (ISP) or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers.

Caution

If you use

0.0.0.0/0

, you enable all IP addresses to access your public instances. This approach is acceptable for a short time in a test environment, but it's unsafe for production environments. In production, you'll authorize only a specific IP address or range of addresses to access your instances.

2.

Sign in to the AWS Management Console and open the Amazon VPC console at https:// console.aws.amazon.com/vpc/ .

3.

Choose VPC Dashboard, choose Security Groups, and then choose the tutorial-securitygroup

security group that you created in the previous procedure.

4.

Choose the Inbound Rules tab, and then choose Edit.

5.

Set the following values for your new inbound rule to allow Secure Shell (SSH) access to your EC2 instance. If you do this, you can connect to your EC2 instance to install the web server and other utilities, and to upload content for your web server.

API Version 2014-10-31

73

Amazon Relational Database Service User Guide

Create a VPC Security Group for a Private Amazon RDS

DB Instance

Type:

SSH (22)

Source: The IP address or range from the prior step, for example:

203.0.113.25/32

.

6.

Choose Add another rule.

7.

Set the following values for your new inbound rule to allow HTTP access to your web server, as shown in the following illustration.

Type:

HTTP (80)

Source:

0.0.0.0/0

.

8.

To save your settings, choose Save.

Create a VPC Security Group for a Private Amazon

RDS DB Instance

To keep your Amazon RDS DB instance private, create a second security group for private access. To connect to private instances in your VPC, you add inbound rules to your VPC security group that allow traffic from your web server only.

To create a VPC security group

1.

Sign in to the AWS Management Console and open the Amazon VPC console at https:// console.aws.amazon.com/vpc/ .

2.

Choose VPC Dashboard, choose Security Groups, and then choose Create Security Group.

3.

On the Create Security Group page, shown following, set these values:

Name tag: tutorial-db-securitygroup

Group name: tutorial-db-securitygroup

Description:

Tutorial DB Instance Security Group

VPC: Choose the VPC that you created earlier, for example: vpc-f1b76594 (10.0.0.0/16)

| tutorial-vpc

API Version 2014-10-31

74

Amazon Relational Database Service User Guide

Create a VPC Security Group for a Private Amazon RDS

DB Instance

4.

To create the security group, choose Yes, Create.

To add inbound rules to the security group

1.

Sign in to the AWS Management Console and open the Amazon VPC console at https:// console.aws.amazon.com/vpc/ .

2.

Choose VPC Dashboard, choose Security Groups, and then choose the tutorial-db-securitygroup

security group that you created in the previous procedure.

3.

Choose the Inbound Rules tab, and then choose Edit.

4.

Set the following values for your new inbound rule to allow MySQL traffic on port 3306 from your

EC2 instance. If you do this, you can connect from your web server to your DB instance to store and retrieve data from your web application to your database.

Type:

MySQL/Aurora (3306)

Source: The identifier of the tutorial-securitygroup

security group that you created previously in this tutorial, for example: sg-9edd5cfb

.

5.

To save your settings, choose Save.

API Version 2014-10-31

75

Amazon Relational Database Service User Guide

Related Topics

Related Topics

Virtual Private Clouds (VPCs) and Amazon RDS (p. 155)

Tutorial: Create a Web Server and an Amazon RDS Database (p. 76)

Tutorials (p. 61)

Tutorial: Create a Web Server and an Amazon

RDS Database

This tutorial helps you install an Apache web server with PHP, and create a MySQL database. The web server runs on an Amazon EC2 instance using Amazon Linux, and the MySQL database is an Amazon

RDS MySQL DB instance. Both the Amazon EC2 instance and the Amazon RDS DB instance run in a

VPC based in Amazon Virtual Private Cloud service (Amazon VPC).

Note

This tutorial works with Amazon Linux and might not work for other versions of Linux such as

Ubuntu.

Before you begin this tutorial, you must have a VPC with both public and private subnets, and corresponding security groups. If you don't have these, complete the following tutorial:

Tutorial: Create an Amazon VPC for Use with an Amazon RDS DB Instance (p. 67)

In this tutorial, you perform the following procedures:

Step 1: Create an RDS DB Instance (p. 76)

Step 2: Create an EC2 Instance and Install a Web Server (p. 80)

Step 1: Create an RDS DB Instance

In this step you create an Amazon RDS MySQL DB instance that maintains the data used by a web application.

Note

Before you begin this step, you must have a VPC with both public and private subnets, and corresponding security groups. If you don't have these, see

Tutorial: Create an Amazon VPC for Use with an Amazon RDS DB Instance (p. 67)

.

To launch a MySQL DB instance

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the top-right corner of the AWS Management Console, choose the region in which you want to create the DB instance. This example uses the US West (Oregon) region.

3.

Choose Instances.

4.

Choose Launch DB Instance.

5.

On the Select Engine page, shown following, choose the MySQL DB engine, and then choose

Select.

API Version 2014-10-31

76

Amazon Relational Database Service User Guide

Step 1: Create a DB Instance

6.

On the Production page, below Dev/Test, choose MySQL This instance is intended for use

outside of production, and then choose Next Step.

7.

On the Specify DB Details page, shown following, set these values:

DB Engine Version: Use the default value.

DB Instance Class: db.t2.micro

Multi-AZ Deployment:

No

Storage Type:

Magnetic

Allocated Storage:

50 GB

DB Instance Identifier: tutorial-db-instance

Master Username: tutorial_user

Master Password: Choose a password.

Confirm Password: Retype the password.

API Version 2014-10-31

77

Amazon Relational Database Service User Guide

Step 1: Create a DB Instance

8.

Choose Next Step and set the following values in the Configure Advanced Settings page, shown following:

VPC: Choose an existing VPC, for example tutorial-vpc (vpc-f1b76594)

Subnet group:

Create a new DB Subnet Group

Publicly Accessible:

No

Availability Zone:

No Preference

VPC Security Group(s): Choose an existing security group, for example tutorial-db-securitygroup

Database Name: sample

API Version 2014-10-31

78

Amazon Relational Database Service User Guide

Step 1: Create a DB Instance

9.

To create your Amazon RDS MySQL DB instance, choose Launch DB Instance.

10. On the next page, choose View Your DB Instances to view your RDS MySQL DB instance.

11. Wait for the status of your new DB instance to show as available

. Then choose the selection box to the left of your DB instance to display the DB instance details, shown following.

API Version 2014-10-31

79

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

Make note of the endpoint for your DB instance. This endpoint shows the server name and port that you use to connect your web server to your RDS DB instance.

To make sure your RDS MySQL DB instance is as secure as possible, verify that sources outside of the

VPC cannot connect to your RDS MySQL DB instance.

Next Step

Step 2: Create an EC2 Instance and Install a Web Server (p. 80)

Related Topics

Tutorial: Create a Web Server and an Amazon RDS Database (p. 76)

Tutorials (p. 61)

Step 2: Create an EC2 Instance and Install a Web

Server

In this step you create a web server to connect to the Amazon RDS DB instance that you created in

Step

1: Create an RDS DB Instance (p. 76) .

Launch an EC2 Instance

First you create an Amazon EC2 instance in the public subnet of your VPC.

To launch an EC2 instance

1.

Sign in to the AWS Management Console and open the Amazon EC2 console at https:// console.aws.amazon.com/ec2/ .

2.

Choose EC2 Dashboard, and then choose Launch Instance, as shown following.

API Version 2014-10-31

80

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

3.

Choose the

Amazon Linux

Amazon Machine Image (AMI), as shown following.

4.

Choose the t2.micro

instance type, as shown following, and then choose Next: Configure Instance

Details.

API Version 2014-10-31

81

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

5.

On the Configure Instance Details page, shown following, set these values and leave the other values as their defaults:

Network: Choose an existing VPC, for example: vpc-f1b76594 (10.0.0.0/16) | tutorial-vpc

Subnet: Choose an existing public subnet, for example: subnet-fe2adba7(10.0.0.0/24)|

Tutorial-public | us-west-2a

Auto-assign Public IP:

Enable

API Version 2014-10-31

82

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

6.

Choose Next: Add Storage.

7.

On the Add Storage page, leave the default values and choose Next: Tag Instance.

8.

On the Tag Instance page, shown following, set Value for the

Name

tag to tutorial-web-server

, and then choose Next: Configure Security Group.

API Version 2014-10-31

83

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

9.

On the Configure Security Group page, shown following, choose Select an existing security

group, and then choose an existing security group, for example: tutorial-securitygroup

. The security group must include inbound rules for SSH and HTTP access.

API Version 2014-10-31

84

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

10. Choose Review and Launch.

11. On the Review Instance Launch page, shown following, verify your settings and then choose

Launch.

12. On the Select an existing key pair or create a new key pair page, shown following, choose

Create a new key pair

and set Key pair name to tutorial-key-pair

. Choose Download Key Pair, and then save the key pair file on your local machine. You use this key pair file to connect to your

EC2 instance.

API Version 2014-10-31

85

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

13. To launch your EC2 instance, choose Launch Instances. On the Launch Status page, shown following, note the identifier for your new EC2 instance, for example: i-7abfcfb8

.

API Version 2014-10-31

86

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

14. To find your instance, choose View Instances.

15. Wait until Instance Status for your instance reads as running

before continuing.

Install an Apache web server with PHP

Next you connect to your EC2 instance and install the web server.

To connect to your EC2 instance and install the Apache web server with PHP

1.

To connect to the EC2 instance that you created earlier, follow the steps in Connect to Your Instance .

2.

To get the latest bug fixes and security updates, update the software on your EC2 instance by using the following command:

Note

The

-y

option installs the updates without asking for confirmation. To examine updates before installing, omit this option.

[ec2-user ~]$ sudo yum update –y

3.

After the updates complete, install the Apache web server with the PHP software package using the

yum install command, which installs multiple software packages and related dependencies at the same time:

API Version 2014-10-31

87

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

[ec2-user ~]$ sudo yum install -y httpd24 php56 php56-mysqlnd

4.

Start the web server with the command shown following:

[ec2-user ~]$ sudo service httpd start

You can test that your web server is properly installed and started by entering the public DNS name of your EC2 instance in the address bar of a web browser, for example: http://ec2-42-8-168-21.us-west-1.compute.amazonaws.com

. If your web server is running, then you see the Apache test page. If you don't see the Apache test page, then verify that your

inbound rules for the VPC security group that you created in Tutorial: Create an Amazon VPC for

Use with an Amazon RDS DB Instance (p. 67) include a rule allowing HTTP (port 80) access for the

IP address you use to connect to the web server.

Note

The Apache test page appears only when there is no content in the document root directory,

/var/www/html

. After you add content to the document root directory, your content appears at the public DNS address of your EC2 instance instead of the Apache test page.

5.

Configure the web server to start with each system boot using the chkconfig command:

[ec2-user ~]$ sudo chkconfig httpd on

To allow ec2-user

to manage files in the default root directory for your Apache web server, you need to modify the ownership and permissions of the

/var/www

directory. In this tutorial, you add a group named www

to your EC2 instance, and then you give that group ownership of the

/var/www

directory and add write permissions for the group. Any members of that group can then add, delete, and modify files for the web server.

To set file permissions for the Apache web server

1.

Add the www

group to your EC2 instance with the following command:

[ec2-user ~]$ sudo groupadd www

2.

Add the ec2-user

user to the www

group:

[ec2-user ~]$ sudo usermod -a -G www ec2-user

3.

To refresh your permissions and include the new www

group, log out:

[ec2-user ~]$ exit

4.

Log back in again and verify that the www

group exists with the groups

command:

API Version 2014-10-31

88

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

[ec2-user ~]$ groups ec2-user wheel www

5.

Change the group ownership of the

/var/www

directory and its contents to the www

group:

[ec2-user ~]$ sudo chown -R root:www /var/www

6.

Change the directory permissions of

/var/www

and its subdirectories to add group write permissions and set the group ID on subdirectories created in the future:

[ec2-user ~]$ sudo chmod 2775 /var/www

[ec2-user ~]$ find /var/www -type d -exec sudo chmod 2775 {} +

7.

Recursively change the permissions for files in the

/var/www

directory and its subdirectories to add group write permissions:

[ec2-user ~]$ find /var/www -type f -exec sudo chmod 0664 {} +

Connect your Apache web server to your RDS DB instance

Next, you add content to your Apache web server that connects to your Amazon RDS DB instance.

To add content to the Apache web server that connects to your RDS DB instance

1.

While still connected to your EC2 instance, change the directory to

/var/www

and create a new subdirectory named inc

:

[ec2-user ~]$ cd /var/www

[ec2-user ~]$ mkdir inc

[ec2-user ~]$ cd inc

2.

Create a new file in the inc

directory named dbinfo.inc

, and then edit the file by calling nano (or the editor of your choice).

[ec2-user ~]$ >dbinfo.inc

[ec2-user ~]$ nano dbinfo.inc

3.

Add the following contents to the dbinfo.inc

file, where

endpoint

is the endpoint of your RDS

MySQL DB instance, without the port, and

master password

is the master password for your RDS

MySQL DB instance.

Note

Placing the user name and password information in a folder that is not part of the document root for your web server reduces the possibility of your security information being exposed.

API Version 2014-10-31

89

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

<?php

define('DB_SERVER', '

endpoint

'); define('DB_USERNAME', 'tutorial_user'); define('DB_PASSWORD', '

master password

'); define('DB_DATABASE', 'sample');

?>

4.

Save and close the dbinfo.inc

file.

5.

Change the directory to

/var/www/html

:

[ec2-user ~]$ cd /var/www/html

6.

Create a new file in the html

directory named

SamplePage.php

, and then edit the file by calling nano (or the editor of your choice).

[ec2-user ~]$ >SamplePage.php

[ec2-user ~]$ nano SamplePage.php

7.

Add the following contents to the

SamplePage.php

file:

Note

Placing the user name and password information in a folder that is not part of the document root for your web server reduces the possibility of your security information being exposed.

<?php include "../inc/dbinfo.inc"; ?>

<html>

<body>

<h1>Sample page</h1>

<?php

/* Connect to MySQL and select the database. */

$connection = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD);

if (mysqli_connect_errno()) echo "Failed to connect to MySQL: " . mysqli_connect_error();

$database = mysqli_select_db($connection, DB_DATABASE);

/* Ensure that the Employees table exists. */

VerifyEmployeesTable($connection, DB_DATABASE);

/* If input fields are populated, add a row to the Employees table. */

$employee_name = htmlentities($_POST['Name']);

$employee_address = htmlentities($_POST['Address']);

if (strlen($employee_name) || strlen($employee_address)) {

AddEmployee($connection, $employee_name, $employee_address);

}

?>

API Version 2014-10-31

90

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

<!-- Input form -->

<form action="<?PHP echo $_SERVER['SCRIPT_NAME'] ?>" method="POST">

<table border="0">

<tr>

<td>Name</td>

<td>Address</td>

</tr>

<tr>

<td>

<input type="text" name="Name" maxlength="45" size="30" />

</td>

<td>

<input type="text" name="Address" maxlength="90" size="60" />

</td>

<td>

<input type="submit" value="Add Data" />

</td>

</tr>

</table>

</form>

<!-- Display table data. -->

<table border="1" cellpadding="2" cellspacing="2">

<tr>

<td>ID</td>

<td>Name</td>

<td>Address</td>

</tr>

<?php

$result = mysqli_query($connection, "SELECT * FROM Employees"); while($query_data = mysqli_fetch_row($result)) {

echo "<tr>";

echo "<td>",$query_data[0], "</td>",

"<td>",$query_data[1], "</td>",

"<td>",$query_data[2], "</td>";

echo "</tr>";

}

?>

</table>

<!-- Clean up. -->

<?php

mysqli_free_result($result);

mysqli_close($connection);

?>

</body>

</html>

<?php

API Version 2014-10-31

91

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

/* Add an employee to the table. */ function AddEmployee($connection, $name, $address) {

$n = mysqli_real_escape_string($connection, $name);

$a = mysqli_real_escape_string($connection, $address);

$query = "INSERT INTO `Employees` (`Name`, `Address`) VALUES ('$n',

'$a');";

if(!mysqli_query($connection, $query)) echo("<p>Error adding employee data.</p>");

}

/* Check whether the table exists and, if not, create it. */ function VerifyEmployeesTable($connection, $dbName) {

if(!TableExists("Employees", $connection, $dbName))

{

$query = "CREATE TABLE `Employees` (

`ID` int(11) NOT NULL AUTO_INCREMENT,

`Name` varchar(45) DEFAULT NULL,

`Address` varchar(90) DEFAULT NULL,

PRIMARY KEY (`ID`),

UNIQUE KEY `ID_UNIQUE` (`ID`)

) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=latin1";

if(!mysqli_query($connection, $query)) echo("<p>Error creating table.</p>");

}

}

/* Check for the existence of a table. */ function TableExists($tableName, $connection, $dbName) {

$t = mysqli_real_escape_string($connection, $tableName);

$d = mysqli_real_escape_string($connection, $dbName);

$checktable = mysqli_query($connection,

"SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_NAME =

'$t' AND TABLE_SCHEMA = '$d'");

if(mysqli_num_rows($checktable) > 0) return true;

return false;

}

?>

8.

Save and close the

SamplePage.php

file.

9.

Verify that your web server successfully connects to your RDS MySQL DB instance by opening a web browser and browsing to http://

EC2 instance endpoint

/SamplePage.php

, for example: http://ec2-55-122-41-31.us-west-2.compute.amazonaws.com/SamplePage.php

.

You can use

SamplePage.php

to add data to your RDS MySQL DB instance. The data that you add is then displayed on the page.

To make sure your RDS MySQL DB instance is as secure as possible, verify that sources outside of the

VPC cannot connect to your RDS MySQL DB instance.

API Version 2014-10-31

92

Amazon Relational Database Service User Guide

Step 2: Create a Web Server

Related Topics

Tutorial: Create a Web Server and an Amazon RDS Database (p. 76)

Tutorials (p. 61)

API Version 2014-10-31

93

Amazon Relational Database Service User Guide

Amazon RDS Basic Operational Guidelines

Best Practices for Amazon RDS

This section summarizes best practices for working with Amazon RDS. As new best practices are identified, we will keep this section up to date.

Topics

Amazon RDS Basic Operational Guidelines (p. 94)

DB Instance RAM Recommendations (p. 95)

Amazon RDS Security Best Practices (p. 95)

Using Metrics to Identify Performance Issues (p. 95)

Best Practices for Working with MySQL Storage Engines (p. 99)

Best Practices for Working with MariaDB Storage Engines (p. 100)

Best Practices for Working with PostgreSQL (p. 100)

Best Practices for Working with SQL Server (p. 102)

Amazon RDS Best Practices Presentation Video (p. 102)

Amazon RDS Basic Operational Guidelines

The following are basic operational guidelines everyone should follow when working with Amazon RDS.

Note that the Amazon RDS Service Level Agreement requires that you follow these guidelines:

• Monitor your memory, CPU, and storage usage. Amazon CloudWatch can be setup to notify you when usage patterns change or when you approach the capacity of your deployment, so that you can maintain system performance and availability.

• Scale up your DB instance when you are approaching storage capacity limits. You should have some buffer in storage and memory to accommodate unforeseen increases in demand from your applications.

• Enable Automatic Backups and set the backup window to occur during the daily low in WriteIOPS.

• On a MySQL DB instance, do not create more than 10,000 tables using Provisioned IOPS or 1000 tables using standard storage. Large numbers of tables will significantly increase database recovery time after a failover or database crash. If you need to create more tables than recommended, set the innodb_file_per_table

parameter to 0. For more information, see Working with InnoDB Tablespaces to Improve Crash Recovery Times (p. 234) and

Working with DB Parameter Groups (p. 724) .

• On a MySQL DB instance, avoid tables in your database growing too large. Underlying file system constraints restrict the maximum size of a MySQL table file to 2 TB. Instead, partition your large tables so that file sizes are well under the 2 TB limit. This approach can also improve performance and recovery time. For more information, see

MySQL File Size Limits (p. 187)

.

API Version 2014-10-31

94

Amazon Relational Database Service User Guide

DB Instance RAM Recommendations

• If your database workload requires more I/O than you have provisioned, recovery after a failover or database failure will be slow. To increase the I/O capacity of a DB instance, do any or all of the following:

• Migrate to a DB instance class with High I/O capacity.

• Convert from standard storage to Provisioned IOPS storage, and use a DB instance class that is optimized for Provisioned IOPS. For information on Provisioned IOPS, see

Amazon RDS Provisioned

IOPS Storage to Improve Performance (p. 125)

.

• If you are already using Provisioned IOPS storage, provision additional throughput capacity.

• If your client application is caching the DNS data of your DB instances, set a TTL of less than 30 seconds. Because the underlying IP address of a DB instance can change after a failover, caching the

DNS data for an extended time can lead to connection failures if your application tries to connect to an

IP address that no longer is in service.

• Test failover for your DB instance to understand how long the process takes for your use case and to ensure that the application that accesses your DB instance can automatically connect to the new DB instance after failover.

DB Instance RAM Recommendations

An Amazon RDS performance best practice is to allocate enough RAM so that your working set resides almost completely in memory. To tell if your working set is almost all in memory, check the ReadIOPS metric (using AWS CloudWatch) while the DB instance is under load. The value of ReadIOPS should be small and stable. If scaling up the DB instance class---to a class with more RAM---results in a dramatic drop in ReadIOPS, your working set was not almost completely in memory. Continue to scale up until

ReadIOPS no longer drops dramatically after a scaling operation, or ReadIOPS is reduced to a very small

amount. For information on monitoring a DB instance's metrics, see Viewing DB Instance Metrics (p. 767)

.

Amazon RDS Security Best Practices

Use AWS IAM accounts to control access to Amazon RDS API actions, especially actions that create, modify, or delete RDS resources such as DB instances, security groups, option groups, or parameter groups, and actions that perform common administrative actions such as backing up and restoring DB instances, or configuring Provisioned IOPS storage.

• Assign an individual IAM account to each person who manages RDS resources. Do not use AWS root credentials to manage Amazon RDS resources; you should create an IAM user for everyone, including yourself.

• Grant each user the minimum set of permissions required to perform his or her duties.

• Use IAM groups to effectively manage permissions for multiple users.

• Rotate your IAM credentials regularly.

For more information about IAM, go to AWS Identity and Access Management . For information on IAM best practices, go to IAM Best Practices .

Using Metrics to Identify Performance Issues

To identify performance issues caused by insufficient resources and other common bottlenecks, you can monitor the metrics available for your Amazon RDS DB instance.

API Version 2014-10-31

95

Amazon Relational Database Service User Guide

Viewing Performance Metrics

Viewing Performance Metrics

You should monitor performance metrics on a regular basis to see the average, maximum, and minimum values for a variety of time ranges. If you do so, you can identify when performance is degraded. You can also set Amazon CloudWatch alarms for particular metric thresholds so you are alerted if they are reached.

In order to troubleshoot performance issues, it’s important to understand the baseline performance of the system. When you set up a new DB instance and get it running with a typical workload, you should capture the average, maximum, and minimum values of all of the performance metrics at a number of different intervals (for example, one hour, 24 hours, one week, two weeks) to get an idea of what is normal. It helps to get comparisons for both peak and off-peak hours of operation.You can then use this information to identify when performance is dropping below standard levels.

To view performance metrics

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com//rds/ .

2.

In the left navigation pane, select Instances, and then select a DB instance.

3.

Select Show Monitoring. The first eight performance metrics display. The metrics default to showing information for the current day.

4.

Use the numbered buttons at top right to page through the additional metrics, or select Show All to see all metrics.

5.

Select a performance metric to adjust the time range in order to see data for other than the current day. You can change the Statistic, Time Range, and Period values to adjust the information displayed. For example, to see the peak values for a metric for each day of the last two weeks, set

Statistic to Maximum, Time Range to Last 2 Weeks, and Period to Day.

Note

Changing the Statistic, Time Range, and Period values changes them for all metrics. The updated values persist for the remainder of your session or until you change them again.

You can also view performance metrics using the CLI or API. For more information, see Viewing DB

Instance Metrics (p. 767) .

To set a CloudWatch alarm

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com//rds/ .

2.

In the left navigation pane, select Instances, and then select a DB instance.

3.

Select Show Monitoring, and then select a performance metric to bring up the expanded view.

4.

Select Create Alarm.

5.

On the Create Alarm page, identify what email address should receive the alert by selecting a value in the Send a notification to box. Select create topic to the right of that box to create a new alarm recipient if necessary.

6.

In the Whenever list, select the alarm statistic to set.

7.

In the of box, select the alarm metric.

8.

In the Is box and the unlabeled box to the right of it, set the alarm threshold, as shown following:

API Version 2014-10-31

96

Amazon Relational Database Service User Guide

Evaluating Performance Metrics

9.

In the For at least box, enter the number of times that the specified threshold must be reached in order to trigger the alarm.

10. In the consecutive period(s) of box, select the period during which the threshold must have been reached in order to trigger the alarm.

11. In the Name of alarm box, enter a name for the alarm.

12. Select Create Alarm.

The performance metrics page appears, and you can see the new alarm in the CloudWatch Alarms status bar. If you don't see the status bar, refresh your page.

Evaluating Performance Metrics

A DB instance has a number of different categories of metrics, and how to determine acceptable values depends on the metric.

Categories of Metrics

CPU

• CPU Utilization – Percentage of computer processing capacity used.

Memory

• Freeable Memory – How much RAM is available on the DB instance, in megabytes.

• Swap Usage – How much swap space is used by the DB instance, in megabytes.

Disk space

• Free Storage Space – How much disk space is used by the DB instance, in megabytes.

API Version 2014-10-31

97

Amazon Relational Database Service User Guide

Evaluating Performance Metrics

Input/output operations

• Read IOPS, Write IOPS – The average number of disk read or write operations per second.

• Read Latency, Write Latency – The average time for a read or write operation in milliseconds.

• Read Throughput, Write Throughput – The average number of megabytes read from or written to disk per second.

• Queue Depth – The number of I/O operations that are waiting to be written to or read from disk.

Network traffic

• Network Receive Throughput, Network Transmit Throughput – The rate of network traffic to and from the DB instance in megabytes per second.

Database connections

• DB Connections – The number of client sessions that are connected to the DB instance.

For more detailed individual descriptions of the performance metrics available, see Amazon RDS

Dimensions and Metrics . For an idea of the acceptable values for metrics, see Acceptable Values for

Metrics.

Acceptable Values for Metrics

Generally speaking, acceptable values for performance metrics depend on what your baseline looks like and what your application is doing. Investigate consistent or trending variances from your baseline. Advice about specific types of metrics follows:

High CPU or RAM consumption – High values for CPU or RAM consumption might be appropriate, provided that they are in keeping with your goals for your application (like throughput or concurrency) and are expected.

Disk space consumption – Investigate disk space consumption if space used is consistently at or above 85 percent of the total disk space. See if it is possible to delete data from the instance or archive data to a different system to free up space.

Network traffic – For network traffic, talk with your system administrator to understand what expected throughput is for your domain network and Internet connection. Investigate network traffic if throughput is consistently lower than expected.

Database connections – Consider constraining database connections if you see high numbers of user connections in conjunction with decreases in instance performance and response time. The best number of user connections for your DB instance will vary based on your instance class and the complexity of the operations being performed. You can determine the number of database connections by associating your DB instance with a parameter group where the User Connections parameter is set to other than 0 (unlimited). You can either use an existing parameter group or create a new one. For

more information, see Working with DB Parameter Groups (p. 724) .

IOPS metrics – The expected values for IOPS metrics depend on disk specification and server configuration, so use your baseline to know what is typical. Investigate if values are consistently different than your baseline. For best IOPS performance, make sure your typical working set will fit into memory to minimize read and write operations.

For issues with any performance metrics, one of the first things you can do to improve performance is tune the most used and most expensive queries to see if that lowers the pressure on system resources.

For more information, see Tuning Queries (p. 99)

API Version 2014-10-31

98

Amazon Relational Database Service User Guide

Tuning Queries

If your queries are tuned and an issue persists, consider upgrading your Amazon RDS

DB Instance

Class (p. 104)

to one with more of the resource (CPU, RAM, disk space, network bandwidth, I/O capacity) that is related to the issue you are experiencing.

Tuning Queries

One of the best ways to improve DB instance performance is to tune your most commonly used and most resource-intensive queries to make them less expensive to run.

MySQL Query Tuning

Go to Optimizing SELECT Statements in the MySQL documentation for more information on writing queries for better performance. You can also go to MySQL Performance Tuning and Optimization

Resources for additional query tuning resources.

Oracle Query Tuning

Go to the Database SQL Tuning Guide in the Oracle documentation for more information on writing and analyzing queries for better performance.

SQL Server Query Tuning

Go to Analyzing a Query in the SQL Server documentation to improve queries for SQL Server DB instances.

You can also use the execution-, index- and I/O-related data management views (DMVs) described in the Dynamic Management Views and Functions documentation to troubleshoot SQL Server query issues.

A common aspect of query tuning is creating effective indexes. You can use the Database Engine Tuning

Advisor to get potential index improvements for your DB instance. For more information, see

Analyzing

Your Database Workload on a DB Instance Using SQL Server Tuning Advisor (p. 439) .

PostgreSQL Query Tuning

Go to Using EXPLAIN in the PostgreSQL documentation to learn how to analyze a query plan. You can use this information to modify a query or underlying tables in order to improve query performance. You can also go to Controlling the Planner with Explicit JOIN Clauses to get tips about how to specify joins in your query for the best performance.

MariaDB Query Tuning

Go to Query Optimizations in the MariaDB documentation for more information on writing queries for better performance.

Best Practices for Working with MySQL Storage

Engines

The Point-In-Time Restore and snapshot restore features of Amazon RDS for MySQL require a crash-recoverable storage engine and are supported for the InnoDB storage engine only. Although MySQL supports multiple storage engines with varying capabilities, not all of them are optimized for crash recovery and data durability. For example, the MyISAM storage engine does not support reliable crash recovery and might prevent a Point-In-Time Restore or snapshot restore from working as intended. This might result in lost or corrupt data when MySQL is restarted after a crash.

InnoDB is the recommended and supported storage engine for MySQL DB instances on Amazon RDS.

However, MyISAM performs better than InnoDB if you require intense, full-text search capability. If you

still choose to use MyISAM with Amazon RDS, following the steps outlined in Automated Backups with

API Version 2014-10-31

99

Amazon Relational Database Service User Guide

Best Practices for Working with MariaDB Storage

Engines

Unsupported MySQL Storage Engines (p. 117)

can be helpful in certain scenarios for snapshot restore functionality.

If you want to convert existing MyISAM tables to InnoDB tables, you can use the process outlined in the

MySQL documentation . MyISAM and InnoDB have different strengths and weaknesses, so you should fully evaluate the impact of making this switch on your applications before doing so.

In addition, Federated Storage Engine is currently not supported by Amazon RDS for MySQL.

Best Practices for Working with MariaDB Storage

Engines

The Point-In-Time Restore and snapshot restore features of Amazon RDS for MariaDB require a crash-recoverable storage engine and are supported for the XtraDB storage engine only. Although MariaDB supports multiple storage engines with varying capabilities, not all of them are optimized for crash recovery and data durability. For example, although Aria is a crash-safe replacement for MyISAM, it might still prevent a Point-In-Time Restore or snapshot restore from working as intended. This might result in lost or corrupt data when MariaDB is restarted after a crash.

XtraDB is the recommended and supported storage engine for MariaDB DB instances on Amazon RDS.

If you still choose to use Aria with Amazon RDS, following the steps outlined in Automated Backups with

Unsupported MariaDB Storage Engines (p. 118)

can be helpful in certain scenarios for snapshot restore functionality.

Best Practices for Working with PostgreSQL

Two important areas where you can improve performance with PostgreSQL on Amazon RDS are when loading data into a DB instance and when using the PostgreSQL autovacuum feature. The following sections cover some of the practices we recommend for these areas.

Loading Data into a PostgreSQL DB Instance

When loading data into an Amazon RDS PostgreSQL DB instance, you should modify your DB instance settings and your DB parameter group values to allow for the most efficient importing of data into your

DB instance.

Modify your DB instance settings to the following:

• Disable DB instance backups (set backup_retention to 0)

• Disable Multi-AZ

Modify your DB parameter group to include the following settings. You should test the parameter settings to find the most efficient settings for your DB instance:

• Increase the value of the maintenance_work_mem

parameter. For more information about PostgreSQL resource consumption parameters, see the PostgreSQL documentation .

• Increase the value of the checkpoint_segments

and checkpoint_timeout

parameters to reduce the number of writes to the wal log.

• Disable the synchronous_commit

parameter (do not turn off FSYNC).

• Disable the PostgreSQL autovacuum parameter.

API Version 2014-10-31

100

Amazon Relational Database Service User Guide

Working with the fsync and full_page_writes database parameters

Use the pg_dump -Fc

(compressed) or pg_restore -j

(parallel) commands with these settings.

Working with the fsync and full_page_writes database parameters

In PostgreSQL 9.4.1 on Amazon RDS, the fsync

and

full_page_writes

database parameters are not modifiable. Disabling the fsync

and

full_page_writes

database parameters can lead to data corruption, so we have enabled them for you. We recommend that customers with other 9.3 DB engine versions of PostgreSQL not disable the fsync

and

full_page_writes

parameters.

Working with the PostgreSQL Autovacuum Feature

The autovacuum feature for PostgreSQL databases is a feature that we strongly recommend you use to maintain the health of your PostgreSQL DB instance. Autovacuum automates the execution of the

VACUUM and ANALYZE command; using autovacuum is required by PostgreSQL, not imposed by

Amazon RDS, and its use is critical to good performance. The feature is enabled by default for all new

Amazon RDS PostgreSQL DB instances, and the related configuration parameters are appropriately set by default.

Your database administrator needs to know and understand this maintenance operation. For the

PostgreSQL documentation on autovacuum, see http://www.postgresql.org/docs/current/static/ routine-vacuuming.html#AUTOVACUUM .

Autovacuum is not a “resource free” operation, but it works in the background and yields to user operations as much as possible. When enabled, autovacuum checks for tables that have had a large number of updated or deleted tuples. It also protects against loss of very old data due to transaction ID wraparound .

Autovacuum should not be thought of as a high-overhead operation that can be reduced to gain better performance. On the contrary, tables that have a high velocity of updates and deletes will quickly deteriorate over time if autovacuum is not run.

Important

Not running autovacuum can result in an eventual required outage to perform a much more intrusive vacuum operation. When an Amazon RDS PostgreSQL DB instance becomes unavailable because of an over conservative use of autovacuum, the PostgreSQL database will shut down to protect itself. At that point, Amazon RDS must perform a single-user–mode full vacuum directly on the DB instance , which can result in a multi-hour outage. Thus, we strongly recommend that you do not turn off autovacuum, which is enabled by default.

The autovacuum parameters determine when and how hard autovacuum works. The autovacuum_vacuum_threshold

and autovacuum_vacuum_scale_factor

parameters determine when autovacuum is run. The autovacuum_max_workers

, autovacuum_nap_time

, autovacuum_cost_limit

, and autovacuum_cost_delay

parameters determine how hard autovacuum works. For more information about autovacuum, when it runs, and what parameters are required, see the PostgreSQL documentation .

The following query shows the number of "dead" tuples in a table named table1 :

PROMPT> select relname, n_dead_tup, last_vacuum, last_autovacuum from pg_catalog.pg_stat_all_tables

where n_dead_tup > 0 and relname = ’table1' order by n_dead_tup desc;

The results of the query will resemble the following:

API Version 2014-10-31

101

Amazon Relational Database Service User Guide

Best Practices for Working with SQL Server

relname | n_dead_tup | last_vacuum | last_autovacuum

---------+------------+-------------+-----------------

tasks | 81430522 | |

(1 row)

Best Practices for Working with SQL Server

Best practices for a Multi-AZ deployment with a SQL Server DB instance include the following:

• Use Amazon RDS DB events to monitor failovers. For example, you can be notified by text message

or email when a DB instance fails over. For more information about Amazon RDS events, see Using

Amazon RDS Event Notification (p. 781)

.

• If your application caches DNS values, set time to live (TTL) to less than 30 seconds. Setting TTL as so is a good practice in case there is a failover, where the IP address might change and the cached value might no longer be in service.

• We recommend that you do not enable the following modes because they turn off transaction logging, which is required for Multi-AZ:

• Simple recover mode

• Offline mode

• Read-only mode

• Test to determine how long it takes for your DB instance to failover. Failover time can vary due to the type of database, the instance class, and the storage type you use.You should also test your application's ability to continue working if a failover occurs.

• To shorten failover time, you should do the following:

• Ensure that you have sufficient Provisioned IOPS allocated for your workload. Inadequate I/O can lengthen failover times. Database recovery requires I/O.

• Use smaller transactions. Database recovery relies on transactions, so if you can break up large transactions into multiple smaller transactions, your failover time should be shorter.

• Take into consideration that during a failover, there will be elevated latencies. As part of the failover process, Amazon RDS automatically replicates your data to a new standby instance. This replication means that new data is being committed to two different DB instances, so there might be some latency until the standby DB instance has caught up to the new primary DB instance.

• Deploy your applications in all Availability Zones. If an Availability Zone does go down, your applications in the other Availability Zones will still be available.

When working with a Multi-AZ deployment of SQL Server, remember that Amazon RDS mirrors all SQL

Server databases on your instance. If you don't want particular databases to be mirrored, set up a separate

DB instance that doesn't use Multi-AZ for those databases.

Amazon RDS SQL Server Best Practices Video

The 2014 AWS re:Invent conference included a presentation on best practices for SQL Server on Amazon

RDS. A video of the presentation is available here .

Amazon RDS Best Practices Presentation Video

The 2013 AWS re:Invent conference included a presentation on best practices for performance-intensive, production applications. A video of the presentation is available here .

API Version 2014-10-31

102

Amazon Relational Database Service User Guide

Amazon RDS DB Instances

A DB instance is an isolated database environment running in the cloud. It is the basic building block of

Amazon RDS. A DB instance can contain multiple user-created databases, and can be accessed using the same client tools and applications you might use to access a stand-alone database instance. DB instances are simple to create and modify with the Amazon AWS command line tools, Amazon RDS

APIs, or the AWS Management RDS Console.

Note

Amazon RDS supports access to databases using any standard SQL client application. Amazon

RDS does not allow direct host access.

You can have up to 40 Amazon RDS DB instances. Of these 40, up to 10 can be Oracle or SQL Server

DB instances under the "License Included" model. All 40 DB instances can be used for MySQL, MariaDB, or PostgreSQL. You can also have 40 DB instances for SQL Server or Oracle under the "BYOL" licensing model. If your application requires more DB instances, you can request additional DB instances using the form at https://console.aws.amazon.com/support/home#/case/create?issueType=service-limit-increase&limitType=service-code-rds-instances.

Each DB instance has a DB instance identifier. This customer-supplied name uniquely identifies the DB instance when interacting with the Amazon RDS API and AWS CLI commands. The DB instance identifier must be unique for that customer in an AWS region.

Each DB instance supports a database engine. Amazon RDS currently supports MySQL, MariaDB,

PostgreSQL, Oracle, Microsoft SQL Server, and Amazon Aurora database engines.

When creating a DB instance, some database engines require that a database name be specified. A DB instance can host multiple databases, or a single Oracle database with multiple schemas. The database name value depends on the database engine:

• For the MySQL and MariaDB database engines, the database name is the name of a database hosted in your DB instance. Databases hosted by the same DB instance must have a unique name within that instance.

• For the Oracle database engine, database name is used to set the value of ORACLE_SID, which must be supplied when connecting to the Oracle RDS instance.

• For the Microsoft SQL Server database engine, database name is not a supported parameter.

• For the PostgreSQL database engine, the database name is the name of a database hosted in your

DB instance. A database name is not required when creating a DB instance. Databases hosted by the same DB instance must have a unique name within that instance.

API Version 2014-10-31

103

Amazon Relational Database Service User Guide

DB Instance Class

Amazon RDS creates a master user account for your DB instance as part of the creation process. This master user has permissions to create databases and to perform create, delete, select, update and insert operations on tables the master user creates. You must set the master user password when you create a DB instance, but you can change it at any time using the Amazon AWS command line tools, Amazon

RDS APIs, or the AWS Management Console. You can also change the master user password and manage users using standard SQL commands.

Topics

DB Instance Class (p. 104)

DB Instance Status (p. 109)

Regions and Availability Zones (p. 111)

High Availability (Multi-AZ) (p. 112)

Amazon RDS and Amazon Virtual Private Cloud (VPC) (p. 114)

DB Instance Backups (p. 115)

DB Instance Replication (p. 118)

DB Instance Class

The computation and memory capacity of a DB instance is determined by its DB instance class. You can change the CPU and memory available to a DB instance by changing its DB instance class; to change the DB instance class, you must modify the DB instance. For pricing information on DB instance classes, go to the Amazon RDS pricing page .

The DB instance class you need depends on your processing power and memory requirements. There are DB instance classes that support both "bursty" database access and sustained access. For best

practices suggestions on determining your memory needs, see DB Instance RAM

Recommendations (p. 95)

. For more information about storage choices, see Storage for Amazon

RDS (p. 120)

.

Topics

Current Generation DB Instance Classes (p. 104)

Previous Generation DB Instance Classes (p. 107)

Specifications for All Available DB Instance Classes (p. 108)

Current Generation DB Instance Classes

Current generation DB instance classes include the following:

Instance Type

Standard (Latest

Generation)

Current Generation DB Instance Classes

db.m4.large | db.m4.xlarge | db.m4.2xlarge | db.m4.4xlarge | db.m4.10xlarge

Standard (Previous

Generation) db.m3.medium | db.m3.large | db.m3.xlarge | db.m3.2xlarge

Memory Optimized db.r3.large | db.r3.xlarge | db.r3.2xlarge | db.r3.4xlarge | db.r3.8xlarge

Burst Capable db.t2.micro | db.t2.small | db.t2.medium | db.t2.large

The following list describes the current Amazon RDS DB instance classes and the Amazon EC2 instance type used for each:

API Version 2014-10-31

104

Amazon Relational Database Service User Guide

Current Generation DB Instance Classes

Standard – Latest Generation (db.m4) – Third generation instances that provide more computing capacity than the second generation db.m3 instance classes at a lower price. This DB instance class requires that the DB instance be in a VPC.

Note

Multi-AZ deployments using db.m4 instance classes are not available in the Asia Pacific

(Sydney) region.

The db.m4 instance classes are not available for the South America (São Paulo) or China

(Beijing) regions.

Current generation instance classes are available for the following DB engines:

DB Engine

MySQL

Oracle

SQL Server

PostgreSQL

Aurora

MariaDB

Availability

MySQL version 5.5, 5.6, and 5.7 are supported.

All versions except version 12.1.0.1 are supported.

Standard Edition, Standard Edition One, and Standard Edition Two are supported for db.m4.large and larger instance classes, up to db.m4.4xlarge.

Enterprise Edition (Bring Your Own License) is supported for all db.m4 instance classes including the db.m4.10xlarge instance class.

SQL Server Express (License Included) and SQL Server Enterprise (License

Included) editions are not supported.

SQL Server Standard (License Included) and SQL Server Web (License Included) editions are supported for db.m4.large and larger instance classes, up to

db.m4.4xlarge.

Multi-AZ deployments using db.m4 instance classes are only available for SQL

Server Standard (Bring Your Own License), SQL Server Standard (License Included), SQL Server Enterprise (Bring Your Own License), and SQL Server Enterprise (License Included) offerings, and are only available in the US West

(Oregon), US East (N. Virginia), and EU (Ireland) regions.

All versions are supported.

Aurora is not supported.

MariaDB version 10.0.17 is supported.

Standard – Previous Generation (db.m3) – Second generation instances that provide a balance of compute, memory, and network resources, and are a good choice for many applications.

Memory Optimized – Current Generation (db.r3) – Second generation instances that provide memory optimization and more computing capacity than the first generation db.m2 instance classes at a lower price. AWS provides db.r3 DB instance classes for DB instances on MySQL 5.6 and later, PostgreSQL,

Amazon Aurora, MariaDB, SQL Server, and Oracle. The db.r3 DB instances classes are not available in the South America (São Paulo) region.

Memory optimized instances (db.r3) are available for the following DB engines:

DB Engine

MySQL

Availability

MySQL version 5.5, 5.6, and 5.7 are supported.

API Version 2014-10-31

105

Amazon Relational Database Service User Guide

Current Generation DB Instance Classes

DB Engine

Oracle

SQL Server

Availability

Standard Edition supports db.r3.large and larger instance classes, up to

db.r3.8xlarge.

Enterprise Edition supports db.r3.large and larger instance classes, up to

db.r3.8xlarge.

Standard Edition One supports db.r3.large and larger instance classes, up to

db.r3.4xlarge.

Standard Edition Two supports db.r3.large and larger instance classes, up to

db.r3.4xlarge.

• SQL Server Express is not supported due to Microsoft licensing restrictions.

• SQL Server Standard with Bring Your Own License (BYOL) supports

db.r3.2xlarge and smaller DB instance classes due to the editions' memory and CPU limitations. SQL Server Standard with License Included (LI) is not supported.

• SQL Server Web supports db.r3.2xlarge and smaller DB instance classes due to the editions' memory and CPU limitations.

Note

SQL Server Multi-AZ deployments using db.r3 instance classes are currently available only for SQL Server Standard and SQL Server

Enterprise.

All versions are supported.

All versions are supported.

MariaDB version 10.0.17 is supported.

PostgreSQL

Aurora

MariaDB

MySQL DB instances created after April 23, 2014, can switch to the db.r3 instance classes by modifying the DB instance just as with any other modification. MySQL DB instances running MySQL versions 5.1

or 5.5 and created before April 23, 2014, must first upgrade to MySQL version 5.6. For information on

upgrading a MySQL DB instance, see Upgrading Database Versions for a DB Instance (p. 621)

. For more information, go to R3 Instances in the Amazon EC2 documentation.

Oracle DB instances (Version's 11.2.0.4 and 12.1.0.2 and above) created after August 06, 2015, can switch to the db.r3 instance classes by modifying the DB instance just as with any other modification.

To migrate an existing instance launched before this date, first upgrade your instance to Oracle database version 11.2.0.4 or 12.1.0.2, and then create and restore a snapshot of that database instance to a new R3 or T2 instance.

Burst Capable – Current Generation (db.t2) – Instances that provide baseline performance level with the ability to burst to full CPU usage. This DB instance class requires that the DB instance be in a VPC.

If you have an existing DB instance that you want to move to the db.t2 DB instance class, note that the

db.t2 DB instance class requires a VPC; if your current DB instance is not in a VPC, see Moving a DB

Instance Not in a VPC into a VPC (p. 169)

to find out how to move a DB instance not in a VPC into a

VPC. For more information about T2 instances used with the db.t2 DB instance class, go to T2 Instances in the Amazon EC2 documentation.

DB Engine

MySQL

Availability

MySQL version 5.5, 5.6, and 5.7 are supported.

API Version 2014-10-31

106

DB Engine

Oracle

SQL Server

PostgreSQL

Aurora

MariaDB

Amazon Relational Database Service User Guide

Previous Generation DB Instance Classes

Availability

Standard Edition is supported for Bring Your Own License (BYOL).

Enterprise Edition is supported for Bring Your Own License (BYOL).

Standard Edition Two is supported for Bring Your Own License (BYOL).

Standard Edition One is supported for Bring Your Own License (BYOL) and License Included.

If you want to use a micro DB instance class, the db.t2.micro DB instance class is recommended for use with Oracle versions 11.2.0.4 and 12.1.0.2. The db.t1.micro DB instance class only supports Oracle versions 11.2.0.2, 11.2.0.3, and 12.1.0.1.

SQL Server Standard is supported for Bring Your Own License (BYOL).

SQL Server Enterprise Edition is supported for Bring Your Own License (BYOL).

All versions are supported.

Aurora is not supported.

MariaDB version 10.0.17 is supported.

Previous Generation DB Instance Classes

Previous generation DB instance classes include the following:

Instance Type

Standard

Previous Generation DB Instance Classes

db.m1.small | db.m1.medium | db.m1.large | db.m1.xlarge

Memory Optimized db.m2.xlarge | db.m2.2xlarge | db.m2.4xlarge | db.cr1.8xlarge

Micro db.t1.micro

Standard – Previous Generation – Previous generation general-purpose instances. For more information, go to Instance Type in the Amazon EC2 documentation.

Memory Optimized – Previous Generation (db.m2) – First generation memory-optimized instances.

For more information, go to Instance Type in the Amazon EC2 documentation.

Micro Instances (db.t1.micro) – An instance sufficient for testing that should not be used for production applications. Using a db.t1.micro instance with Oracle is a limited test configuration. If you want to use a micro DB instance class, the db.t1.micro DB instance class only supports Oracle versions 11.2.0.2,

11.2.0.3, and 12.1.0.1.

We recommend that you use db.t1.micro instances with Oracle to test setup and connectivity only; the system resources for a db.t1.micro instance do not meet the recommended configuration for Oracle.

No Oracle options are supported on a db.t1.micro instance. For more information, see the Micro

Instances topic in the Amazon EC2 documentation.

API Version 2014-10-31

107

Amazon Relational Database Service User Guide

Specifications for All Available DB Instance Classes

Specifications for All Available DB Instance

Classes

The following table provides details of the Amazon RDS DB instance classes.

Instance Class vCPU ECU Memory

(GB)

EBS Optimized

Network Performance

Micro Instances

db.t1.micro

db.m1.small

Standard - Current Gen-

eration (VPC only)

1

1 db.m4.large

db.m4.xlarge

db.m4.2xlarge

db.m4.4xlarge

db.m4.10xlarge

Memory Optimized -

Current Generation

2

4

8

16

40 db.r3.large

db.r3.xlarge

db.r3.2xlarge

db.r3.4xlarge

db.r3.8xlarge

Burst Capable - Current

Generation (VPC only)

32

2

4

8

16 db.t2.micro

db.t2.small

db.t2.medium

db.t2.large

Standard - Previous

Generation

db.m3.medium

db.m3.large

db.m3.xlarge

db.m3.2xlarge

2

2

1

1

4

8

1

2

1

1

3

6.5

13

26

2

2

1

1

6.5

13

26

52

104

6.5

13

25.5

53.5

124.5

4

8

1

2

.615

1.7

3.75

7.5

15

30

15

30.5

61

122

244

8

16

32

64

160

No

No

No

No

No

No

Very Low

Very Low

450 Mbps

750 Mbps

Moderate

High

1000 Mbps High

2000 Mbps High

4000 Mbps 10 GBps

No

500 Mbps

Moderate

Moderate

1000 Mbps High

2000 Mbps High

No 10 Gbps

Low

Low

Moderate

Moderate

No

No

Moderate

Moderate

500 Mbps High

1000 Mbps High

API Version 2014-10-31

108

Amazon Relational Database Service User Guide

DB Instance Status

Instance Class

Memory Optimized -

Previous Generation

db.m2.xlarge

db.m2.2xlarge

db.m2.4xlarge

db.cr1.8xlarge

vCPU

2

4

8

32

ECU

6.5

13

26

88

Memory

(GB)

EBS Optimized

Network Performance

17.1

34.2

68.4

244

No

500 Mbps

1000 Mbps

No

Moderate

Moderate

High

10 Gbps

Note

The table column information includes:

vCPU – A virtual CPU, or virtual central processing unit, is a unit of capacity that you can use to compare DB instance classes. Instead of purchasing or leasing a particular processor to use for several months or years, you are renting capacity by the hour. Our goal is to provide a consistent amount of CPU capacity no matter what the actual underlying hardware.

ECU – The EC2 Compute Unit provides the relative measure of the integer processing power of an Amazon EC2 instance. In order to make it easy for developers to compare CPU capacity between different instance classes, we have defined an Amazon EC2 Compute Unit. The amount of CPU that is allocated to a particular instance is expressed in terms of these EC2

Compute Units. One ECU currently provides CPU capacity equivalent to a 1.0-1.2 GHz 2007

Opteron or 2007 Xeon processor.

Memory (GB) – Specifies the RAM memory, in gigabytes, allocated to the DB instance. Note that there is often a consistent ratio between memory and vCPU. For example, the db.m1 DB instance class has the same memory to vCPU ratio as the db.m3 DB instance class, but db.m3 instance classes provide better, more consistent performance that db.m1 instances for most use cases. db.m3 instance classes are also less expensive than db.m1 instances.

EBS-optimized – DB instance uses an optimized configuration stack and provides additional, dedicated capacity for Amazon Elastic Block Store (Amazon EBS) I/O. This optimization provides the best performance for your Amazon EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance. For more information about

Amazon EBS–optimized instances, go to Amazon EBS–Optimized Instances in the Amazon

EC2 documentation.

Network Performance – The network speed relative to other DB instance classes.

DB Instance Status

The status of a DB instance indicates the health of the instance.You can view the status of a DB instance by using the RDS console, the AWS CLI command describe-db-instances

, or the API action

DescribeDBInstances

.

Note

Amazon RDS also uses another status called maintenance status, which is shown in the

Maintenance column of the Amazon RDS console. This value indicates the status of any maintenance patches that need to be applied to a DB instance. Maintenance status is independent

of DB instance status. For more information on maintenance status, see Operating System

Updates for a DB Instance (p. 618) .

API Version 2014-10-31

109

Amazon Relational Database Service User Guide

DB Instance Status

DB Instance Status

available backing-up creating incompatible-network

The instance is currently being backed up.

The instance is being created. The instance is inaccessible while it is being created.

The instance is being deleted.

deleting failed inaccessible-encryption-credentials

The KMS key used to encrypt or decrypt the DB instance could not be accessed.

incompatible-credentials

The instance has failed and Amazon RDS was unable to recover it.

Perform a point-in-time restore to the latest restorable time of the instance to recover the data.

The supplied CloudHSM username or password is incorrect. Please update the CloudHSM credentials for the DB instance.

Amazon RDS is attempting to perform a recovery action on an instance but is unable to do so because the VPC is in a state that is preventing the action from being completed. This status can occur if, for example, all available IP addresses in a subnet were in use and Amazon RDS was unable to get an IP address for the DB instance.

incompatible-option-group incompatible-parameters incompatible-restore

Description

The instance is healthy and available.

Amazon RDS attempted to apply an option group change but was unable to do so, and Amazon RDS was unable to roll back to the previous option group state. Consult the Recent Events list for the

DB instance for more information. This status can occur if, for example, the option group contains an option such as TDE and the DB instance does not contain encrypted information.

Amazon RDS was unable to start up the DB instance because the parameters specified in the instance's DB parameter group were not compatible. Revert the parameter changes or make them compatible with the instance to regain access to your instance. Consult the Recent Events list for the DB instance for more information about the incompatible parameters.

Amazon RDS is unable to do a point-in-time restore. Common causes for this status include using temp tables, using MyISAM tables with

MySQL, or using Aria tables with MariaDB.

maintenance modifying rebooting renaming resetting-master-credentials

Amazon RDS is applying a maintenance update to the DB instance.

The instance is being modified because of a customer request to modify the instance.

The instance is being rebooted because of a customer request or an

Amazon RDS process that requires the rebooting of the instance.

The instance is being renamed because of a customer request to rename it.

The master credentials for the instance are being reset because of a customer request to reset them.

API Version 2014-10-31

110

DB Instance Status

restore-error storage-full upgrading

Amazon Relational Database Service User Guide

Regions and Availability Zones

Description

The DB instance encountered an error attempting to restore to a point-in-time or from a snapshot.

The instance has reached its storage capacity allocation. This is a critical status and should be remedied immediately; you should scale up your storage by modifying the DB instance. Set CloudWatch alarms to warn you when storage space is getting low so you don't run into this situation.

The database engine version is being upgraded.

Regions and Availability Zones

Amazon cloud computing resources are housed in highly available data center facilities in different areas of the world (for example, North America, Europe, and Asia). Each data center location is called a region.

Each region contains multiple distinct locations called Availability Zones, or AZs. Each Availability Zone is engineered to be isolated from failures in other Availability Zones, and to provide inexpensive, low-latency network connectivity to other zones in the same region. By launching instances in separate Availability

Zones, you can protect your applications from the failure of a single location.

It is important to remember that each region is completely independent. Any Amazon RDS activity you initiate (for example, creating database instances or listing available database instances) runs only in your current default region. The default region can be changed in the console, by setting the EC2_REGION environment variable, or it can be overridden by using the

--region

parameter with the AWS command line interface. See

Configuring the AWS Command Line Interface

, specifically, the sections on Environment

Variables and Command Line Options for more information.

Amazon RDS supports a special AWS region called AWS GovCloud (US) that is designed to allow US government agencies and customers to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. For more information on AWS GovCloud (US), see the AWS GovCloud (US) home page .

To create or work with an Amazon RDS DB instance in a specific region, use the corresponding regional service endpoint.

Amazon RDS supports the endpoints listed in the following table.

API Version 2014-10-31

111

Amazon Relational Database Service User Guide

Related Topics

Region

US West (N. California) region

Name

US East (N. Virginia) region us-east-1 us-west-1

US West (Oregon) region us-west-2

EU (Ireland) region eu-west-1

EU (Frankfurt) Region eu-central-1 ap-northeast-1 Asia Pacific

(Tokyo) Region

Asia Pacific

(Seoul) Region ap-northeast-2 ap-southeast-1 Asia Pacific

(Singapore) Region

Asia Pacific

(Sydney) Region

South America

(Sao Paulo) Region ap-southeast-2 sa-east-1

China (Beijing) Region cn-north-1

AWS GovCloud

(US) Region us-gov-west-1

Endpoint

https://rds.us-east-1.amazonaws.com

https://rds.us-west-1.amazonaws.com

https://rds.us-west-2.amazonaws.com

https://rds.eu-west-1.amazonaws.com

https://rds.eu-central-1.amazonaws.com

https://rds.ap-northeast-1.amazonaws.com

https://rds.ap-northeast-2.amazonaws.com

https://rds.ap-southeast-1.amazonaws.com

https://rds.ap-southeast-2.amazonaws.com

https://rds.sa-east-1.amazonaws.com

https://rds.cn-north-1.amazonaws.com.cn

https://rds.us-gov-west-1.amazonaws.com

If you do not explicitly specify an endpoint, the US West (Oregon) endpoint is the default.

Related Topics

• Regions and Availability Zones in the Amazon Elastic Compute Cloud User Guide.

Amazon RDS DB Instances (p. 103)

High Availability (Multi-AZ)

Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments.

Multi-AZ deployments for Oracle, PostgreSQL, MySQL, and MariaDB DB instances use Amazon technology, while SQL Server DB instances use SQL Server Mirroring.

Note

Amazon Aurora stores copies of the data in a DB cluster across multiple Availability Zones in a single region, regardless of whether the instances in the DB cluster span multiple Availability

Zones. For more information on Amazon Aurora, see Aurora on Amazon RDS (p. 495) .

API Version 2014-10-31

112

Amazon Relational Database Service User Guide

High Availability (Multi-AZ)

In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. The primary DB instance is synchronously replicated across

Availability Zones to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups. Running a DB instance with high availability can enhance availability during planned system maintenance, and help protect your databases against DB instance failure and

Availability Zone disruption. For more information on Availability Zones, see

Regions and Availability

Zones (p. 111)

.

Note

The high-availability feature is not a scaling solution for read-only scenarios; you cannot use a standby replica to serve read traffic. To service read-only traffic, you should use a Read Replica.

For more information, see Working with PostgreSQL, MySQL, and MariaDB Read Replicas (p. 649)

.

When using the BYOL licensing model, you must have a license for both the primary instance and the standby replica.

Using the RDS console, you can create a Multi-AZ deployment by simply specifying Multi-AZ when creating a DB instance. You can also use the console to convert existing DB instances to Multi-AZ deployments by modifying the DB instance and specifying the Multi-AZ option. The RDS console shows the Availability

Zone of the standby replica, called the secondary AZ.

You can specify a Multi-AZ deployment using the CLI as well. For SQL Server Multi-AZ deployments using SQL Server Mirroring, you specify the option in an option group; for more information on the SQL

Server option for Mirroring, see

Multi-AZ Deployment for SQL Server Using the Mirroring Option (p. 448)

.

Use the AWS CLI describe-db-instances command, or the Amazon RDS API DescribeDBInstances action to show the Availability Zone of the standby replica (called the secondary AZ).

The RDS console shows the Availability Zone of the standby replica (called the secondary AZ), or you can use the AWS CLI describe-db-instances command, or the Amazon RDS API DescribeDBInstances action to find the secondary AZ. When using the BYOL licensing model, you must have a license for both the primary instance and the standby replica.

DB instances using Multi-AZ deployments may have increased write and commit latency compared to a

Single-AZ deployment, due to the synchronous data replication that occurs. You may have a change in latency if your deployment fails over to the standby replica, although AWS is engineered with low-latency network connectivity between Availability Zones. For production workloads, we recommend you use

Provisioned IOPS and DB instance classes (m1.large and larger) that are optimized for Provisioned IOPS for fast, consistent performance.

If you have a Single-AZ deployment, and you modify it to be a Multi-AZ deployment (for engines other than SQL Server or Amazon Aurora), then RDS takes a snapshot of the primary DB instance from your deployment and restores the snapshot into another Availability Zone. RDS then sets up synchronous replication between your primary DB instance and the new instance. This avoids downtime when you convert from Single-AZ to Multi-AZ.

API Version 2014-10-31

113

Amazon Relational Database Service User Guide

Failover Process for Amazon RDS

Failover Process for Amazon RDS

In the event of a planned or unplanned outage of your DB instance, Amazon RDS automatically switches to a standby replica in another Availability Zone if you have enabled Multi-AZ. The time it takes for the failover to complete depends on the database activity and other conditions at the time the primary DB instance became unavailable. Failover times are typically 60-120 seconds. However, large transactions or a lengthy recovery process can increase failover time. When the failover is complete, it can take additional time for the RDS console UI to reflect the new Availability Zone.

The failover mechanism automatically changes the DNS record of the DB instance to point to the standby

DB instance. As a result, you will need to re-establish any existing connections to your DB instance. Due to how the Java DNS caching mechanism works, you may need to reconfigure your JVM environment.

For more information on how to manage a Java application that caches DNS values in the case of a failover, see the AWS SDK for Java .

Amazon RDS handles failovers automatically so you can resume database operations as quickly as possible without administrative intervention. The primary DB instance switches over automatically to the standby replica if any of the following conditions occur:

• An Availability Zone outage

• The primary DB instance fails

• The DB instance's server type is changed

• The operating system of the DB instance is undergoing software patching

• A manual failover of the DB instance was initiated using Reboot with failover

There are several ways to determine if your Multi-AZ DB instance has failed over:

• DB event subscriptions can be setup to notify you via email or SMS that a failover has been initiated.

For more information about events, see Using Amazon RDS Event Notification (p. 781)

• You can view your DB events via the Amazon RDS console or APIs.

• You can view the current state of your Multi-AZ deployment via the Amazon RDS console and APIs.

For information on how you can respond to failovers, reduce recovery time, and other best practices for

Amazon RDS, go to Best Practices for Amazon RDS (p. 94) .

Amazon RDS and Amazon Virtual Private Cloud

(VPC)

Amazon RDS lets you use the Amazon Virtual Private Cloud (VPC) service to create a virtual private cloud where you can launch a DB instance. When you use a virtual private cloud, you have control over your virtual networking environment: you can select your own IP address range, create subnets, and configure routing and access control lists. The basic functionality of Amazon RDS is the same whether it is running in a VPC or not: Amazon RDS manages backups, software patching, automatic failure detection, and recovery. There is no additional cost to run your DB instance in a VPC.

API Version 2014-10-31

114

Amazon Relational Database Service User Guide

DB Instance Backups

Amazon RDS supports two VPC platforms in each region: The EC2-Classic platform (shown as EC2,VPC in the RDS console) requires you to use the Amazon VPC service if you want to create a VPC, and the

EC2-VPC platform (shown as VPC in the RDS console), which provides your AWS account with a default

VPC in a region. If you are a new customer to Amazon RDS or if you are creating DB instances in a region you have not worked in before, chances are good you are on the EC2-VPC platform and that you have

a default VPC. To determine which platform your account supports in a particular region, see Determining

Whether You Are Using the EC2-VPC or EC2-Classic Platform (p. 155) .

For more information about using a VPC with Amazon RDS, see

Virtual Private Clouds (VPCs) and

Amazon RDS (p. 155)

DB Instance Backups

Amazon RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases. Amazon RDS provides two different methods for backing up your

Amazon DB instances: automated backups and customer-initiated DB snapshots. Automated backups automatically back up your DB instance during a specific, user-definable backup window, and keeps the backups for a limited, user-specified period of time (called the backup retention period); you can later recover your database to any point in time during that retention period. DB snapshots are user-initiated backups that enable you to back up your DB instance to a known state, and restore to that specific state at any time. Amazon RDS keeps all DB snapshots until you delete them.

Note

A brief I/O freeze, typically lasting a few seconds, occurs during both automated backups and

DB snapshot operations on Single-AZ DB instances.

Automated Backup

Automated backup is an Amazon RDS feature that automatically creates a backup of your DB instance.

Automated backups are enabled by default for a new DB instance.

An automated backup occurs during a daily user-configurable period of time known as the preferred backup window. Backups created during the backup window are retained for a user-configurable number of days (the backup retention period). Note that if the backup requires more time than allotted to the backup window, the backup will continue to completion.

Note

An immediate outage will occur if you change the backup retention period from 0 to a non-zero value or from a non-zero value to 0.

API Version 2014-10-31

115

Amazon Relational Database Service User Guide

Automated Backup

The preferred backup window is the user-defined period of time during which your DB instance is backed up. Amazon RDS uses these periodic data backups in conjunction with your transaction logs to enable you to restore your DB instance to any second during your retention period, up to the LatestRestorableTime

(typically up to the last five minutes). During the backup window, storage I/O may be suspended while your data is being backed up and you may experience elevated latency. This I/O suspension typically lasts for the duration of the snapshot. This period of I/O suspension is shorter for Multi-AZ DB deployments, since the backup is taken from the standby, but latency can occur during the backup process.

When the backup retention changes to a non-zero value, the first backup occurs immediately. Changing the backup retention period to 0 turns off automatic backups for the DB instance, and deletes all existing automated backups for the instance.

If you don't specify a preferred backup window when you create the DB instance, Amazon RDS assigns a default 30-minute backup window which is selected at random from an 8-hour block of time per region.

The following table lists the time blocks for each region from which the default backups windows are assigned.

Region

US East (N. Virginia) region

Time Block

03:00-11:00 UTC

US West (N. California) region

US West (Oregon) region

06:00-14:00 UTC

EU (Ireland) region

EU (Frankfurt) Region

Asia Pacific (Tokyo) Region

Asia Pacific (Seoul) Region

06:00-14:00 UTC

22:00-06:00 UTC

23:00-07:00 UTC

13:00-21:00 UTC

13:00-21:00 UTC

Asia Pacific (Sydney) Region 12:00-20:00 UTC

Asia Pacific (Singapore) Region

South America (São Paulo)

Region

14:00-22:00 UTC

00:00-08:00 UTC

AWS GovCloud (US) Region 03:00-11:00 UTC

Changes to the backup window take effect immediately. The backup window cannot overlap with the weekly maintenance window for the DB instance.

When you delete a DB instance, you can create a final DB snapshot upon deletion; if you do, you can use this DB snapshot to restore the deleted DB instance at a later date. Amazon RDS retains this final user-created DB snapshot along with all other manually created DB snapshots after the DB instance is deleted. All automated backups are deleted and cannot be recovered when you delete a DB instance.

Refer to the pricing page for information on backup storage costs.

For more information on working with automated backups, go to Working With Automated Backups (p. 674)

.

API Version 2014-10-31

116

Amazon Relational Database Service User Guide

Automated Backup

Point-In-Time Recovery

In addition to the daily automated backup, Amazon RDS archives database change logs. This enables you to recover your database to any point in time during the backup retention period, up to the last five minutes of database usage.

Amazon RDS stores multiple copies of your data, but for Single-AZ DB instances these copies are stored in a single availability zone. If for any reason a Single-AZ DB instance becomes unusable, you can use point-in-time recovery to launch a new DB instance with the latest restorable data. For more information

on working with point-in-time recovery, go to Restoring a DB Instance to a Specified Time (p. 699)

.

Note

Multi-AZ deployments store copies of your data in different Availability Zones for greater levels of data durability. For more information on Multi-AZ deployments, see

High Availability

(Multi-AZ) (p. 112) .

Automated Backups with Unsupported MySQL Storage

Engines

Amazon RDS automated backups and DB snapshots are currently supported for all DB engines. For the

MySQL DB engine, only the InnoDB storage engine is supported; use of these features with other MySQL storage engines, including MyISAM, may lead to unreliable behavior while restoring from backups.

Specifically, since storage engines like MyISAM do not support reliable crash recovery, your tables can be corrupted in the event of a crash. For this reason, we encourage you to use the InnoDB storage engine.

• To convert existing MyISAM tables to InnoDB tables, you can use alter table command. For example:

ALTER TABLE

table_name

ENGINE=innodb, ALGORITHM=COPY;

• If you choose to use MyISAM, you can attempt to manually repair tables that become damaged after a crash by using the REPAIR command (see: http://dev.mysql.com/doc/refman/5.5/en/repair-table.html

).

However, as noted in the MySQL documentation, there is a good chance that you will not be able to recover all your data.

• If you want to take a snapshot of your MyISAM tables prior to restoring, follow these steps:

1. Stop all activity to your MyISAM tables (that is, close all sessions).

You can close all sessions by calling the mysql.rds_kill

command for each process that is returned from the

SHOW FULL PROCESSLIST

command.

2. Lock and flush each of your MyISAM tables. For example, the following commands lock and flush two tables named myisam_table1

and myisam_table2

: mysql> FLUSH TABLES myisam_table, myisam_table2 WITH READ LOCK;

3. Create a snapshot of your DB instance. When the snapshot has completed, release the locks and resume activity on the MyISAM tables. You can release the locks on your tables using the following command: mysql> UNLOCK TABLES;

These steps force MyISAM to flush data stored in memory to disk thereby ensuring a clean start when you restore from a DB snapshot. For more information on creating a DB snapshot, see

Creating a DB

Snapshot (p. 678)

.

API Version 2014-10-31

117

Amazon Relational Database Service User Guide

DB Snapshots

Automated Backups with Unsupported MariaDB Storage

Engines

Amazon RDS automated backups and DB snapshots are currently supported for all DB engines. For the

MariaDB DB engine, only the XtraDB storage engine is supported; use of these features with other

MariaDB storage engines, including Aria, might lead to unreliable behavior while restoring from backups.

Even though Aria is a crash-resistant alternative to MyISAM, your tables can still be corrupted in the event of a crash. For this reason, we encourage you to use the XtraDB storage engine.

• To convert existing Aria tables to XtraDB tables, you can use ALTER TABLE command. For example:

ALTER TABLE

table_name

ENGINE=xtradb, ALGORITHM=COPY;

• If you choose to use Aria, you can attempt to manually repair tables that become damaged after a crash by using the REPAIR TABLE command. For more information, go to http://mariadb.com/kb/en/ mariadb/repair-table/ .

• If you want to take a snapshot of your Aria tables prior to restoring, follow these steps:

1. Stop all activity to your Aria tables (that is, close all sessions).

2. Lock and flush each of your Aria tables.

3. Create a snapshot of your DB instance. When the snapshot has completed, release the locks and resume activity on the Aria tables. These steps force Aria to flush data stored in memory to disk, thereby ensuring a clean start when you restore from a DB snapshot.

DB Snapshots

A DB snapshot is a user-initiated storage volume snapshot of your DB instance, backing up the entire

DB instance and not just individual databases.DB snapshots enable you to back up your DB instance in a known state as frequently as you wish, and then restore to that specific state at any time. DB snapshots can be created with the Amazon RDS console or the

CreateDBSnapshot

action in the Amazon RDS

API. DB snapshots are kept until you explicitly delete them with the Amazon RDS console or the

DeleteDBSnapshot

action in the Amazon RDS API. For more information on working with DB snapshots,

see Creating a DB Snapshot (p. 678) and

Restoring From a DB Snapshot (p. 680)

.

Related Topics

Creating a DB Snapshot (p. 678)

Restoring From a DB Snapshot (p. 680)

Copying a DB Snapshot (p. 684)

Working With Automated Backups (p. 674)

DB Instance Replication

Currently, you can create replicas of your DB instances in two ways. All DB instances can have a Multi-AZ deployment, where Amazon RDS automatically provisions and manages a standby replica in a different

Availability Zone (independent infrastructure in a physically separate location). In the event of planned database maintenance, DB instance failure, or an Availability Zone failure, Amazon RDS will automatically failover to the standby so that database operations can resume quickly without administrative intervention.

For more information on Multi-AZ deployments, see High Availability (Multi-AZ) (p. 112)

.

Amazon RDS also uses the PostgreSQL, MySQL, and MariaDB DB engines' built-in replication functionality to create a special type of DB instance called a Read Replica from a source DB instance. Updates made to the source DB instance are asynchronously copied to the Read Replica. You can reduce the load on your source DB instance by routing read queries from your applications to the Read Replica. Read

API Version 2014-10-31

118

Amazon Relational Database Service User Guide

DB Instance Replication

Replicas allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. For more information about Read Replicas, see

Working with PostgreSQL,

MySQL, and MariaDB Read Replicas (p. 649)

API Version 2014-10-31

119

Amazon Relational Database Service User Guide

Storage Types

Storage for Amazon RDS

Amazon RDS uses Amazon Elastic Block Store (Amazon EBS) volumes for database and log storage.

Depending on the amount of storage requested, Amazon RDS automatically stripes across multiple

Amazon EBS volumes to enhance IOPS performance. Amazon RDS provides three types of storage with a range of storage and performance options.

Topics

Amazon RDS Storage Types (p. 120)

Performance Metrics (p. 121)

Facts About Amazon RDS Storage (p. 121)

General Purpose (SSD) Storage (p. 123)

Amazon RDS Provisioned IOPS Storage to Improve Performance (p. 125)

Factors That Affect Realized IOPS Rates (p. 128)

Amazon RDS Storage Types

Amazon RDS provides three storage types: magnetic, General Purpose (SSD), and Provisioned IOPS

(input/output operations per second). They differ in performance characteristics and price, allowing you to tailor your storage performance and cost to the needs of your database. You can create MySQL,

MariaDB, PostgreSQL, and Oracle RDS DB instances with up to 6TB of storage and SQL Server RDS

DB instances with up to 4TB of storage when using the Provisioned IOPS and General Purpose (SSD) storage types. Existing MySQL, PostgreSQL, and Oracle RDS database instances can be scaled to these new database storage limits without any downtime. For a complete discussion of the different volume types, see the topic Amazon EBS Volume Types .

Magnetic (Standard) – Magnetic storage, also called standard storage, offers cost-effective storage that is ideal for applications with light or burst I/O requirements. These volumes deliver approximately

100 IOPS on average, with burst capability of up to hundreds of IOPS, and they can range in size from

5 GB to 3 TB, depending on the DB instance engine that you chose. Magnetic storage is not reserved for a single DB instance, so performance can vary greatly depending on the demands placed on shared resources by other customers.

General Purpose (SSD) – General purpose, SSD-backed storage, also called gp2, can provide faster access than disk-based storage. This storage type can deliver single-digit millisecond latencies, with a base performance of 3 IOPS per Gigabyte (GB) and the ability to burst to 3,000 IOPS for extended periods of time up to a maximum of 10,000 PIOPS. General purpose (SSD) volumes can range in size

API Version 2014-10-31

120

Amazon Relational Database Service User Guide

Performance Metrics

from 5 GB to 6 TB for MySQL, MariaDB, PostgreSQL, and Oracle DB instances, and from 20 GB to 4

TB for SQL Server DB instances. This storage type is excellent for small to medium-sized databases.

Provisioned IOPS – Provisioned IOPS storage is designed to meet the needs of I/O-intensive workloads, particularly database workloads, that are sensitive to storage performance and consistency in random access I/O throughput. Provisioned IOPS volumes can range in size from 100 GB to 6 TB for MySQL,

MariaDB, PostgreSQL, and Oracle DB engines. SQL Server Express and Web editions can range in size from 100 GB to 4 TB, while SQL Server Standard and Enterprise editions can range in size from

200 GB to 4 TB. You specify the amount of storage you want allocated, and then specify the amount of dedicated IOPS you want. These two values form a ratio, and this value maintains the ratio specified for the DB engine you chose. Amazon RDS delivers within 10 percent of the provisioned IOPS performance 99.9 percent of the time over a given year.

Several factors can affect the performance of Amazon EBS volumes, such as instance configuration, I/O characteristics, and workload demand. For more information about getting the most out of your Provisioned

IOPS volumes, see Amazon EBS Volume Performance .

For existing MySQL, MariaDB, PostgreSQL, and Oracle DB instances, you might observe some I/O capacity improvement if you scale up your storage. Note that you cannot change the storage capacity nor the type of storage for a SQL Server DB instance due to extensibility limitations of striped storage attached to a Windows Server environment.

Performance Metrics

Amazon RDS provides several metrics that you can use to determine how your DB instance is performing.

You can view the metrics in the RDS console by selecting your DB instance and clicking Show Monitoring.

You can also use Amazon CloudWatch to monitor these metrics. For more information, go to the

Viewing

DB Instance Metrics (p. 767) .

IOPS – the number of I/O operations completed per second. This metric is reported as the average

IOPS for a given time interval. Amazon RDS reports read and write IOPS separately on one minute intervals. Total IOPS is the sum of the read and write IOPS. Typical values for IOPS range from zero to tens of thousands per second.

Latency – the elapsed time between the submission of an I/O request and its completion. This metric is reported as the average latency for a given time interval. Amazon RDS reports read and write latency separately on one minute intervals in units of seconds. Typical values for latency are in the millisecond

(ms); for example, Amazon RDS reports 2 ms as 0.002 seconds.

Throughput – the number of bytes per second transferred to or from disk. This metric is reported as the average throughput for a given time interval. Amazon RDS reports read and write throughput separately on one minute intervals using units of megabytes per second (MB/s). Typical values for throughput range from zero to the I/O channel’s maximum bandwidth.

Queue Depth – the number of I/O requests in the queue waiting to be serviced. These are I/O requests that have been submitted by the application but have not been sent to the device because the device is busy servicing other I/O requests. Time spent waiting in the queue is a component of Latency and

Service Time (not available as a metric). This metric is reported as the average queue depth for a given time interval. Amazon RDS reports queue depth in one minute intervals. Typical values for queue depth range from zero to several hundred.

Facts About Amazon RDS Storage

The following points are important facts you should know about Amazon RDS storage:

API Version 2014-10-31

121

Amazon Relational Database Service User Guide

Other Factors That Impact Storage Performance

• The current maximum channel bandwidth available is 4000 megabits per second (Mbps) full duplex.

In terms of the read and write throughput metrics, this equates to about 210 megabytes per second

(MB/s) in each direction. A perfectly balanced workload of 50% reads and 50% writes may attain a maximum combined throughput of 420 MB/s. Note that this is channel throughput, which includes protocol overhead, so the actual data throughput may be less.

• Provisioned IOPS works with an I/O request size of 32 KB. An I/O request smaller than 32 KB is handled as one I/O; for example, 1000 16 KB I/O requests are treated the same as 1000 32 KB requests. I/O requests larger than 32 KB consume more than one I/O request; Provisioned IOPS consumption is a linear function of I/O request size above 32 KB. For example, a 48 KB I/O request consumes 1.5 I/O requests of storage capacity; a 64 KB I/O request consumes 2 I/O requests, etc. For more information

about Provisioned IOPS, see Amazon RDS Provisioned IOPS Storage to Improve Performance (p. 125)

.

Note that I/O size does not affect the IOPS values reported by the metrics, which are based solely on the number of I/Os over time. This means that it is possible to consume all of the IOPS provisioned with fewer I/Os than specified if the I/O sizes are larger than 32 KB. For example, a system provisioned for 5,000 IOPS can attain a maximum of 2,500 IOPS with 64 KB I/O or 1,250 IOPS with 128 KB IO.

Note that magnetic storage does not provision I/O capacity, so all I/O sizes are counted as a single

I/O. General purpose storage provisions I/O capacity based on the size of the volume. For more information on general purpose storage throughput, go to General Purpose (SSD) Volumes .

• The first time a DB instance is started and accesses an area of disk for the first time, the process can take longer than all subsequent accesses to the same disk area. This is known as the “first touch penalty.” Once an area of disk has incurred the first touch penalty, that area of disk does not incur

the penalty again for the life of the instance, even if the DB instance is rebooted, restarted, or the

DB instance class changes. Note that a DB instance created from a snapshot, a point-in-time restore, or a read replica is a new instance and does incur this first touch penalty.

• Because Amazon RDS manages your DB instance, we reserve overhead space on the instance. While the amount of reserved storage varies by DB instance class and other factors, this reserved space can be as much as one or two percent of the total storage.

• Provisioned IOPS provides a way to reserve I/O capacity by specifying IOPS. Like any other system capacity attribute, maximum throughput under load will be constrained by the resource that is consumed first. That resource could be IOPS, channel bandwidth, CPU, memory, or database internal resources.

Other Factors That Impact Storage Performance

All of the following system related activities consume I/O capacity and may reduce database instance performance while in progress:

• DB snapshot creation

• Nightly backups

• Multi-AZ peer creation

• Read replica creation

• Scaling storage

System resources can constrain the throughput of a DB instance, but there can be other reasons for a bottleneck. If you find the following situation, your database could be the issue:

• The channel throughput limit is not reached

• Queue depths are consistently low

• CPU utilization is under 80%

• There is free memory available

• There is no swap activity

• There is plenty of free disk space

API Version 2014-10-31

122

Amazon Relational Database Service User Guide

Adding Storage and Changing Storage Type

• Your application has dozens of threads all submitting transactions as fast as the database will take them, but there is clearly unused I/O capacity

If there isn’t at least one system resource that is at or near a limit, and adding threads doesn’t increase the database transaction rate, the bottleneck is most likely contention in the database. The most common forms are row lock and index page lock contention, but there are many other possibilities. If this is your situation, you should seek the advice of a database performance tuning expert.

Adding Storage and Changing Storage Type

For existing MySQL, MariaDB, PostgreSQL, and Oracle DB instances, you might observe some I/O capacity improvement if you scale up your storage. Note that you cannot change the storage capacity nor the type of storage for a SQL Server DB instance due to extensibility limitations of striped storage attached to a Windows Server environment.

You can modify a DB instance to use additional storage and you can convert to a different storage type.

Adding storage or converting to a different storage type can take time and reduces the performance of your DB instance, so you should plan when to make these changes.

Although your DB instance is available for reads and writes when adding storage, you may experience degraded performance until the process is complete. Adding storage may take several hours; the duration of the process depends on several factors such as database load, storage size, storage type, amount of

IOPS provisioned (if any), and number of prior scale storage operations. Typical scale storage times will be under 24 hours, but can take up to several days in some cases. During the scaling process, the DB instance will be available for use, but may experience performance degradation. While storage is being added, nightly backups are suspended and no other Amazon RDS operations can take place, including modify, reboot, delete, create Read Replica, and create DB Snapshot.

Storage conversions between magnetic storage and general purpose (SSD) storage can potentially deplete the initial 5.4 million I/O credits (3,000 IOPS X 30 Minutes) allocated for general purpose (SSD) storage. When performing these storage conversions, the first 82 GB of data will be converted at approximately 3,000 IOPS, while the remaining data will be converted at the base performance rate of 3

IOPS per GB of allocated general purpose (SSD) storage. This can result in longer conversion times.

You can provision more general purpose (SSD) storage to increase your base I/O performance rate, thus improving the conversion time, but note that you cannot reduce storage size once it has been allocated.

General Purpose (SSD) Storage

General purpose (SSD) storage offers cost-effective storage that is ideal for small or medium-sized database workloads. This storage type can deliver single-digit millisecond latencies, with a base performance of 3 IOPS per Gigabyte (GB) and the ability to burst to 3,000 IOPS for extended periods of time up to a maximum of 10,000 IOPS. General purpose (SSD) storage volumes can range in size from

5 GB to 6 TB for MySQL, MariaDB, PostgreSQL, and Oracle DB instances and from 20 GB to 4 TB for

SQL Server DB instances. Note that provisioning less than 100 GB of general purpose (SSD) storage for high-throughput workloads can result in higher latencies if the initial general purpose (SSD) I/O credit balance is depleted.

I/O Credits and Burst Performance

General Purpose (SSD) storage performance is governed by volume size, which dictates the base performance level of the volume and how quickly it accumulates I/O credits. Larger volumes have higher base performance levels and accumulate I/O credits faster. I/O credits represent the available bandwidth that your General Purpose (SSD) storage can use to burst large amounts of I/O when more than the base

API Version 2014-10-31

123

Amazon Relational Database Service User Guide

I/O Credits and Burst Performance

1

100

250

500

750

1,000 level of performance is needed. The more credits your storage has for I/O, the more time it can burst beyond its base performance level and the better it performs when more performance is needed.

When using General Purpose (SSD) storage, your DB instance receives an initial I/O credit balance of

5.4 million I/O credits, which is enough to sustain a burst performance of 3,000 IOPS for 30 minutes. This initial credit balance is designed to provide a fast initial boot cycle for boot volumes and to provide a good bootstrapping experience for other applications. Your storage earns I/O credits every second at a base performance rate of 3 IOPS per GB of volume size. For example, a 100 GB General Purpose (SSD) storage has a base performance of 300 IOPS.

When your storage requires more than the base performance I/O level, it uses I/O credits in the credit balance to burst to the required performance level, up to a maximum of 3,000 IOPS. Storage larger than

1,000 GB has a base performance that is equal or greater than the maximum burst performance (up to

10,000 IOPS), so its I/O credit balance never depletes and it can burst indefinitely. When your storage uses fewer I/O credits than it earns in a second, unused I/O credits are added to the I/O credit balance.

The maximum I/O credit balance for a DB instance using General Purpose (SSD) storage is equal to the initial credit balance (5.4 million I/O credits).

If your storage uses all of its I/O credit balance, its maximum performance will remain at the base performance level (the rate at which your storage earns credits) until I/O demand drops below the base level and unused credits are added to the I/O credit balance. The more storage, the greater the base performance is and the faster it replenishes the credit balance.

Note

Storage conversions between Magnetic storage and General Purpose (SSD) storage can potentially deplete the initial 5.4 million I/O credits (3,000 IOPS X 30 Minutes) allocated for

General Purpose (SSD) storage. When performing these storage conversions, the first 82 GB of data will be converted at approx. 3,000 IOPS, while the remaining data will be converted at the base performance rate of 3 IOPS per GB of allocated General Purpose (SSD) storage. This can result in longer conversion times. You can provision more General Purpose (SSD) storage to increase your base I/O performance rate, thus improving the conversion time, but note that you cannot reduce storage size once it has been allocated.

The following table lists several storage sizes and the associated base performance of the storage (which is also the rate at which it accumulates I/O credits), the burst duration at the 3,000 IOPS maximum (when starting with a full credit balance), and the time in seconds that the storage takes to refill an empty credit balance.

Storage size (GB) Base performance

(IOPS)

3

300

750

1,500

2,250

3,000

Maximum burst duration @ 3,000 IOPS

(seconds)

1,802

2,000

2,400

3,600

7,200

Infinite

Seconds to fill empty credit balance

1,800,000

18,000

7,200

3,600

2,400

N/A

The burst duration of your storage depends on the size of the storage, the burst IOPS required, and the credit balance when the burst begins. This relationship is shown in the equation below:

API Version 2014-10-31

124

Amazon Relational Database Service User Guide

Provisioned IOPS Storage

(Credit balance)

Burst duration = ------------------------------------

(Burst IOPS) - 3(Storage size in GB)

If you notice that your storage performance is frequently limited to the base level due to an empty I/O credit balance, you should consider allocating more General Purpose (SSD) storage with a higher base performance level. Alternatively, you can switch to Provisioned IOPS storage for workloads that require sustained IOPS performance.

For workloads with steady state I/O requirements, provisioning less than 100 GB of General Purpose

(SSD) storage may result in higher latencies if you exhaust your I/O burst credit balance.

Amazon RDS Provisioned IOPS Storage to

Improve Performance

For any production application that requires fast and consistent I/O performance, we recommend

Provisioned IOPS (input/output operations per second) storage. Provisioned IOPS storage is a storage type that delivers fast, predictable, and consistent throughput performance. When you create a DB instance, you specify an IOPS rate and storage space allocation. Amazon RDS provisions that IOPS rate and storage for the lifetime of the DB instance or until you change it. Provisioned IOPS storage is optimized for I/O intensive, online transaction processing (OLTP) workloads that have consistent performance requirements. Provisioned IOPS helps performance tuning.

Note

You cannot decrease storage allocated for a DB instance.

Topics

Using Provisioned IOPS Storage with Multi-AZ, Read Replicas, Snapshots, VPC, and DB Instance

Classes (p. 126)

Provisioned IOPS Storage Costs (p. 126)

Getting the Most out of Amazon RDS Provisioned IOPS (p. 127)

Provisioned IOPS Storage Support in the AWS CLI and Amazon RDS API (p. 127)

You can create a DB instance that uses Provisioned IOPS storage by using the AWS Management

Console, the Amazon RDS API, or the AWS Command Line Interface (CLI). You specify the IOPS rate and the amount of storage that you require.You can provision a MySQL, MariaDB, PostgreSQL, or Oracle

DB instance with up to 30,000 IOPS and 6 TB of allocated storage. You can provision a SQL Server DB instance with up to 20,000 IOPS and 4 TB of allocated storage.

Note

Your actual realized IOPS may vary from the value that you specify depending on your database workload, DB instance size, and the page size and channel bandwidth that are available for your

DB engine. For more information, see Factors That Affect Realized IOPS Rates (p. 128)

.

The ratio of the requested IOPS rate to the amount of storage allocated is important. The ratio of IOPS to storage, in GB, for your DB instances should be between 3:1 and 10:1 for MySQL, MariaDB, PostgreSQL,

SQL Server (excluding SQL Server Express), and Oracle DB instances. For example, you could start by provisioning an Oracle DB instance with 1000 IOPS and 200 GB storage (a ratio of 5:1). You could then scale up to 2000 IOPS with 200 GB of storage (a ratio of 10:1), 3000 IOPS with 300 GB of storage, and up to the maximum for an Oracle DB instance of 30,000 IOPS with 6 TB (6000 GB) of storage (a ratio of

5:1).

The following table shows the IOPS and storage range for each database engine.

API Version 2014-10-31

125

Amazon Relational Database Service User Guide

Using Provisioned IOPS Storage with Multi-AZ, Read

Replicas, Snapshots, VPC, and DB Instance Classes

Range of Provisioned IOPS Range of Storage

MySQL

MariaDB

PostgreSQL

Oracle

SQL Server Express and

Web

SQL Server Standard and

Enterprise

1000 - 30,000 IOPS

1000 - 30,000 IOPS

1000 - 30,000 IOPS

1000 - 30,000 IOPS

1000 - 20,000 IOPS

1000 - 20,000 IOPS

100 GB - 6 TB

100 GB - 6 TB

100 GB - 6 TB

100 GB - 6 TB

100 GB - 4 TB

200 GB - 4 TB

Range of

IOPS to Storage (GB) Ratio

3:1 - 10:1

3:1 - 10:1

3:1 - 10:1

3:1 - 10:1

3:1 - 10:1

3:1 - 10:1

You can modify an existing Oracle, MySQL, or MariaDB DB instance to use Provisioned IOPS storage, and you can modify Provisioned IOPS storage settings.

Using Provisioned IOPS Storage with Multi-AZ,

Read Replicas, Snapshots, VPC, and DB Instance

Classes

For production OLTP use cases, we recommend that you use Multi-AZ deployments for enhanced fault tolerance and Provisioned IOPS storage for fast and predictable performance. In addition to Multi-AZ deployments, Provisioned IOPS storage complements the following features:

• Amazon VPC for network isolation and enhanced security.

• Read Replicas – The type of storage on a read replica is independent of that on the master DB instance.

For example, if the master DB instance uses magnetic storage, you can add read replicas that use

Provisioned IOPS storage and vice versa. If you use magnetic storage–based read replicas with a master DB instance that uses Provisioned IOPS storage, the performance of your read replicas may differ considerably from that of a configuration in which both the master DB instance and the read replicas are using Provisioned IOPS storage.

• DB Snapshots – If you are using a DB instance that uses Provisioned IOPS storage, you can use a

DB snapshot to restore an identically configured DB instance, regardless of whether the target DB instance uses magnetic storage or Provisioned IOPS storage. If your DB instance uses magnetic storage, you can use a DB snapshot to restore only a DB instance that uses magnetic storage.

• You can use Provisioned IOPS storage with any DB instance class. However, smaller DB instance classes will not consistently make the best use of Provisioned IOPS storage. For the best performance, we recommend that you use one of the DB instance types that are optimized for Provisioned IOPS storage.

Provisioned IOPS Storage Costs

Because Provisioned IOPS storage reserves resources for your use, you are charged for the resources whether or not you use them in a given month. When you use Provisioned IOPS storage, you are not charged the monthly Amazon RDS I/O charge. If you prefer to pay only for I/O that you consume, a DB instance that uses magnetic storage may be a better choice. For Amazon RDS pricing information, see the Amazon RDS product page .

API Version 2014-10-31

126

Amazon Relational Database Service User Guide

Getting the Most out of Amazon RDS Provisioned IOPS

Getting the Most out of Amazon RDS Provisioned

IOPS

Using Provisioned IOPS storage increases the number of I/O requests the system is capable of processing concurrently. Increased concurrency allows for decreased latency since I/O requests spend less time in a queue. Decreased latency allows for faster database commits, which improves response time and allows for higher database throughput.

For example, consider a heavily loaded OLTP database provisioned for 10,000 Provisioned IOPS that runs consistently at the channel limit of 105 Mbps throughput for reads. The workload isn’t perfectly balanced, so there is some unused write channel bandwidth. The instance would consume less than

10,000 IOPS and but would still benefit from increasing capacity to 20,000 Provisioned IOPS.

Increasing Provisioned IOPS capacity from 10,000 to 20,000 doubles the system’s capacity for concurrent

I/O. Increased concurrency means decreased latency, which allows transactions to complete faster, so the database transaction rate increases. Read and write latency would improve by different amounts and the system would settle into a new equilibrium based on whichever resource becomes constrained first.

It is possible for Provisioned IOPS consumption to actually decrease under these conditions even though the database transaction rate can be much higher. For example, you could see write requests decline accompanied by an increase in write throughput. That’s a good indicator that your database is making better use of group commit. More write throughput and the same write IOPS means log writes have become larger but are still less than 256 KB. More write throughput and fewer write I/O means log writes have become larger and are averaging larger than 32 KB since those I/O requests consume more than one I/O of Provisioned IOPS capacity.

Provisioned IOPS Storage Support in the AWS CLI and Amazon RDS API

The AWS CLI supports Provisioned IOPS storage in the following commands:

• create-db-snapshot

– The output shows the IOPS value.

• create-db-instance

– Includes the input parameter

iops

, and the output shows the IOPS rate.

• modify-db-instance

– Includes the input parameter

iops

, and the output shows the IOPS rate.

• restore-db-instance-from-db-snapshot

– Includes the input parameter

iops

, and the output shows current IOPS rate. If Apply Immediately was specified, the output also shows the pending IOPS rate.

• restore-db-instance-to-point-in-time

– Includes the input parameter

iops

, and the output shows the IOPS rate.

• create-db-instance-read-replica

– Includes the input parameter

iops

, and the output shows the IOPS rate.

The Amazon RDS API supports Provisioned IOPS storage in the following actions:

CreateDBInstance

– Includes the input parameter

iops

, and the output shows the IOPS rate.

CreateDBInstanceReadReplica

– Includes the input parameter

iops

, and the output shows the

IOPS rate.

CreateDBSnapshot

– The output shows the IOPS rate.

ModifyDBInstance

– Includes the input parameter

iops

, and the output shows the IOPS rate.

RestoreDBInstanceFromDBSnapshot

– Includes the input parameter

iops

, and the output shows current IOPS rate. If Apply Immediately was specified, the output also shows the pending IOPS rate.

API Version 2014-10-31

127

Amazon Relational Database Service User Guide

Factors That Affect Realized IOPS Rates

RestoreDBInstanceToPointInTime

– Includes the input parameter

iops

, and the output shows the IOPS rate.

Factors That Affect Realized IOPS Rates

Your actual realized IOPS rate may vary from the amount that you provision depending on page size and network bandwidth, which are determined in part by your DB engine. It is also affected by DB instance size and database workload.

Page Size and Channel Bandwidth

The theoretical maximum IOPS rate is also a function of database I/O page size and available channel bandwidth. MySQL and MariaDB use a page size of 16 KB, while Oracle, PostgreSQL (default), and SQL

Server use 8 KB. On a DB instance with a full duplex I/O channel bandwidth of 1000 megabits per second

(Mbps), the maximum IOPS for page I/O is about 8,000 IOPS total for both directions (input/output channel) for 16 KB I/O and 16,000 IOPS total for both directions for 8 KB I/O.

If traffic on one of the channels reaches capacity, available IOPS on the other channel cannot be reallocated. As a result, the attainable IOPS rate will be less than the provisioned IOPS rate.

Each page read or write constitutes one I/O operation. Database operations that read or write more than a single page will use multiple I/O operations for each database operation. I/O requests larger than 32

KB are treated as more than one I/O for the purposes of PIOPS capacity consumption. A 40 KB I/O request will consume 1.25 I/Os, a 48 KB request will consume 1.5 I/Os, a 64 KB request will consume 2

I/Os, and so on. The I/O request is not split into separate I/Os; all I/O requests are presented to the storage device unchanged. For example, if the database submits a 128 KB I/O request, it goes to the storage device as a single 128 KB I/O request, but it will consume the same amount of PIOPS capacity as four

32 KB I/O requests.

The following table shows the page size and the theoretical maximum IOPS rate for each DB engine.

IOPS rates are based on the m2.4xlarge instance class (for Oracle and SQL Server) or the cr1.8xlarge

instance class (for MySQL, MariaDB, and PostgreSQL) with full duplex and a workload that is perfectly balanced between reads and writes.

DB Engine

MySQL

MariaDB

PostgreSQL

Oracle

SQL Server

Page Size

16 KB

16 KB

8 KB

8 KB

8 KB

Theoretical Maximum IOPS Rate

30,000

30,000

30,000

25,000

20,000

Note

If you provision an IOPS rate that is higher than the maximum or that is higher than your realized

IOPS rate, you may still benefit from reduced latency and improvements in overall throughput.

DB Instance Classes for Provisioned IOPS

If you are using Provisioned IOPS storage, we recommend that you use the M4, M3, R3, and M2 DB instance classes. These instance classes are optimized for Provisioned IOPS storage; other instance classes are not.

API Version 2014-10-31

128

Amazon Relational Database Service User Guide

Database Workload

DB Instance Classes

Optimized for Provisioned IOPS

db.m1.large

db.m1.xlarge

db.m2.2xlarge

db.m2.4xlarge

db.m3.xlarge

db.m3.2xlarge

db.r3.xlarge

db.r3.2xlarge

db.r3.4xlarge

db.m4.large

db.m4.xlarge

db.m4.2xlarge

db.m4.4xlarge

db.m4.10xlarge

Dedicated EBS

Throughput (Mbps)

500 Mbps

1000 Mbps

500 Mbps

1000 Mbps

500 Mbps

1000 Mbps

500 Mbps

1000 Mbps

2000 Mbps

450 Mbps

750 Mbps

1000 Mbps

2000 Mbps

4000 Mbps

Maximum 16k IOPS

Rate**

4000

8000

4000

8000

4000

8000

4000

8000

16000

3600

6000

8000

16000

32000

Max Bandwidth

(MB/s)**

62.5

125

62.5

125

62.5

125

62.5

125

250

56.25

93.75

125

250

500

** This value is a rounded approximation based on a 100% read-only workload and it is provided as a baseline configuration aid. EBS-optimized connections are full-duplex, and can drive more throughput and IOPS in a 50/50 read/write workload where both communication lanes are used. In some cases, network and file system overhead can reduce the maximum throughput and IOPS available.

Database Workload

System activities such as automated backups, DB snapshots, and scale storage operations may consume some I/O, which will reduce the overall capacity available for normal database operations. If your database design results in concurrency issues, locking, or other forms of database contention, you may not be able to directly use all the bandwidth that you provision.

If you provision IOPS capacity to meet your peak workload demand, during the non-peak periods, your application will probably consume fewer IOPS on average than provisioned.

To help you verify that you are making the best use of your Provisioned IOPS storage, we have added a new CloudWatch Metric called Disk Queue Depth. If your application is maintaining an average queue depth of approximately 5 outstanding I/O operations per 1000 IOPS that you provision, you can assume that you are consuming the capacity that you provisioned. For example, if you provisioned 10,000 IOPS, you should have a minimum of 50 outstanding I/O operations in order to use the capacity you provisioned.

API Version 2014-10-31

129

Amazon Relational Database Service User Guide

Security in Amazon RDS

Topics

Authentication and Access Control for Amazon RDS (p. 131)

Encrypting Amazon RDS Resources (p. 145)

Using SSL to Encrypt a Connection to a DB Instance (p. 148)

Amazon RDS Security Groups (p. 149)

Master User Account Privileges (p. 153)

Related Topics (p. 154)

You can manage access to your Amazon Relational Database Service (Amazon RDS) resources and your databases on a DB instance. The method you use to manage access depends on what type of task the user needs to perform with Amazon RDS:

• Run your DB instance in an Amazon Virtual Private Cloud (VPC) for the greatest possible network access control. For more information about creating a DB instance in a VPC, see Using Amazon RDS with Amazon Virtual Private Cloud (VPC) .

• Use AWS Identity and Access Management (IAM) policies to assign permissions that determine who is allowed to manage RDS resources. For example, you can use IAM to determine who is allowed to create, describe, modify, and delete DB instances, tag resources, or modify DB security groups. For

information on setting up a IAM user, see Create an IAM User (p. 8)

• Use security groups to control what IP addresses or EC2 instances can connect to your databases on a DB instance. When you first create a DB instance, its firewall prevents any database access except through rules specified by an associated security group.

• Use Secure Socket Layer (SSL) connections with DB instances running the MySQL, Amazon Aurora,

MariaDB, PostgreSQL, Oracle, or Microsoft SQL Server database engines; for more information on

using SSL with a DB instance, see Using SSL to Encrypt a Connection to a DB Instance (p. 148)

.

• Use RDS encryption to secure your RDS instances and snapshots at rest. RDS encryption uses the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS

instance. For more information, see Encrypting Amazon RDS Resources (p. 145) .

• Use network encryption and transparent data encryption with Oracle DB instances; for more information,

see Oracle Native Network Encryption (p. 302) and

Oracle Transparent Data Encryption (TDE) (p. 303)

• Use the security features of your DB engine to control who can log in to the databases on a DB instance, just as you would if the database was on your local network.

API Version 2014-10-31

130

Amazon Relational Database Service User Guide

Authentication and Access Control

Note

You only have to configure security for your use cases; you do not have to configure security access for processes that Amazon RDS manages, such as creating backups, replicating data between a master and a Read Replica, or other processes.

Authentication and Access Control for Amazon

RDS

Access to Amazon RDS requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as an Amazon RDS DB instance.

The following sections provide details on how you can use AWS Identity and Access Management (IAM) and Amazon RDS to help secure your resources by controlling who can access them:

Authentication (p. 131)

Access Control (p. 132)

Authentication

When you sign up for AWS, you provide an email address and password that are associated with your

AWS account. These are your root credentials and they provide complete access to all of your AWS resources.

For security reasons, we recommend that you use these root credentials for the first time only to create an administrator user with full permissions to your AWS account (see IAM Best Practices ). You can then use this administrator user to create other IAM users and roles with limited permissions. For instructions, see Creating an Administrators Group in the IAM User Guide.

An IAM user is simply an identity within your AWS account that you create in the IAM service that has specific custom permissions (for example, to create an Amazon RDS DB instance). You can use an IAM user name and password to sign in to secure AWS webpages like the AWS Management Console, AWS

Discussion Forums, and the AWS Support Center.

You can also generate access keys for each user that can be used to authenticate requests when accessing

AWS services programmatically either through one of the several SDKs or by using the AWS Command

Line Interface (CLI) . Using the access keys that you provide, the SDK and CLI tools cryptographically sign your request. If you don’t use the AWS tools, you must sign the request yourself. Amazon RDS supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the Amazon Web Services

General Reference.

Instead of creating an IAM user, you can also use pre-existing user identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are referred to as federated users.

Federated users access AWS services and resources through an IAM role , which is similar to an IAM user, but is not associated with a specific person. Instead, a role is assigned to a federated user dynamically when the user requests access through an identity provider . Note that IAM roles can also be used for other purposes, such as granting other AWS accounts permissions to access your account’s resources.

A federated user is associated with an IAM role that enables the user to obtain temporary access keys, which the user uses to authenticate requests. For more information about federated users, see Federated

Users and Roles in the IAM User Guide.

API Version 2014-10-31

131

Amazon Relational Database Service User Guide

Access Control

Access Control

You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access Amazon RDS resources. For example, you must have permissions to create an Amazon

RDS DB instance, create a DB snapshot, add an event subscription, and so on.

The following sections describe how to manage permissions for Amazon RDS. We recommend that you read the overview first.

Overview of Managing Access Permissions to Your Amazon RDS Resources (p. 132)

Using Identity-Based Policies (IAM Policies) for Amazon RDS (p. 135)

Overview of Managing Access Permissions to Your

Amazon RDS Resources

Every AWS resource is owned by an AWS account, and permissions to create or access the resources are governed by permissions policies. An account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles), and some services (such as AWS Lambda) also support attaching permissions policies to resources.

Note

An account administrator (or administrator user) is a user with administrator privileges. For more information, see IAM Best Practices in the IAM User Guide.

When granting permissions, you decide who is getting the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources.

Topics

Amazon RDS Resources and Operations (p. 132)

Understanding Resource Ownership (p. 133)

Managing Access to Resources (p. 133)

Specifying Policy Elements: Actions, Effects, Resources, and Principals (p. 135)

Specifying Conditions in a Policy (p. 135)

Amazon RDS Resources and Operations

In Amazon RDS, the primary resource is a DB instance. Amazon RDS supports other resources that can be used with the primary resource such as DB snapshots, parameter groups, and event subscriptions.

These are referred to as subresources.

These resources and subresources have unique Amazon Resource Names (ARNs) associated with them as shown in the following table.

Resource Type ARN Format

DB instance, Read Replica, and Reserved DB instance arn:aws:rds:

region

:

account-id

:db:

db-instance-name

DB cluster

DB snapshot arn:aws:rds: arn:aws:rds:

region region

:

:

account-id account-id

:cluster:

db-cluster-name

:snapshot:

snapshot-name

API Version 2014-10-31

132

Amazon Relational Database Service User Guide

Overview of Managing Access

Resource Type

DB cluster snapshot

DB option group

DB parameter group

DB cluster parameter group

DB security group

DB subnet group

Event subscription

ARN Format

arn:aws:rds:

region

:

account-id

:cluster-snapshot:

clustersnapshot-name

arn:aws:rds:

region

:

account-id

:og:

option-group-name

arn:aws:rds:

region

:

account-id

:pg:

parameter-group-name

arn:aws:rds:

region

:

account-id

:cluster-pg:

cluster-parametergroup-name

arn:aws:rds:

region

:

account-id

:secgrp:

security-group-name

arn:aws:rds:

region

:

account-id

:subgrp:

subnet-group-name

arn:aws:rds:

region

:

account-id

:es:

subscription-name

Amazon RDS provides a set of operations to work with the Amazon RDS resources. For a list of available operations, see Actions .

Understanding Resource Ownership

A resource owner is the AWS account that created a resource. That is, the resource owner is the AWS account of the principal entity (the root account, an IAM user, or an IAM role) that authenticates the request that creates the resource. The following examples illustrate how this works:

• If you use the root account credentials of your AWS account to create an RDS resource, such as a DB instance, your AWS account is the owner of the RDS resource.

• If you create an IAM user in your AWS account and grant permissions to create RDS resources to that user, the user can create RDS resources. However, your AWS account, to which the user belongs, owns the RDS resources.

• If you create an IAM role in your AWS account with permissions to create RDS resources, anyone who can assume the role can create RDS resources. Your AWS account, to which the role belongs, owns the RDS resources.

Managing Access to Resources

A permissions policy describes who has access to what. The following section explains the available options for creating permissions policies.

Note

This section discusses using IAM in the context of Amazon RDS. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see What Is IAM?

in the

IAM User Guide. For information about IAM policy syntax and descriptions, see AWS IAM Policy

Reference in the IAM User Guide.

Policies attached to an IAM identity are referred to as identity-based policies (IAM polices) and policies attached to a resource are referred to as resource-based policies. Amazon RDS supports only identity-based policies (IAM policies).

Topics

Identity-Based Policies (IAM Policies) (p. 134)

Resource-Based Policies (p. 134)

API Version 2014-10-31

133

Amazon Relational Database Service User Guide

Overview of Managing Access

Identity-Based Policies (IAM Policies)

You can attach policies to IAM identities. For example, you can do the following:

Attach a permissions policy to a user or a group in your account – An account administrator can use a permissions policy that is associated with a particular user to grant permissions for that user to create an Amazon RDS resource, such as a DB instance.

Attach a permissions policy to a role (grant cross-account permissions) – You can attach an identity-based permissions policy to an IAM role to grant cross-account permissions. For example, the administrator in Account A can create a role to grant cross-account permissions to another AWS account

(for example, Account B) or an AWS service as follows:

1. Account A administrator creates an IAM role and attaches a permissions policy to the role that grants permissions on resources in Account A.

2. Account A administrator attaches a trust policy to the role identifying Account B as the principal who can assume the role.

3. Account B administrator can then delegate permissions to assume the role to any users in Account

B. Doing this allows users in Account B to create or access resources in Account A. The principal in the trust policy can also be an AWS service principal if you want to grant an AWS service permissions to assume the role.

For more information about using IAM to delegate permissions, see Access Management in the IAM

User Guide.

The following is an example policy that allows a user to create DB instances for your AWS account. The policy requires that the name of the new DB instance begin with test

. The new DB instance must also use the MySQL database engine and the db.t2.micro

DB instance class.

{

"Version":"2012-10-17",

"Statement":[

{

"Sid":"AllowMySQLTestCreate",

"Effect":"Allow",

"Action":"rds:CreateDBInstance",

"Resource":"arn:aws:rds:us-west-2:123456789012:db:test*",

"Condition":{

"StringEquals":{

"rds:DatabaseEngine":"mysql",

"rds:DatabaseClass":"db.t2.micro"

}

}

}

]

}

For more information about using identity-based policies with Amazon RDS, see Using Identity-Based

Policies (IAM Policies) for Amazon RDS (p. 135) . For more information about users, groups, roles, and

permissions, see Identities (Users, Groups, and Roles) in the IAM User Guide.

Resource-Based Policies

Other services, such as Amazon S3, also support resource-based permissions policies. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket. Amazon RDS doesn't support resource-based policies.

API Version 2014-10-31

134

Amazon Relational Database Service User Guide

Using Identity-Based Policies (IAM Policies)

Specifying Policy Elements: Actions, Effects, Resources, and Principals

For each Amazon RDS resource (see Amazon RDS Resources and Operations (p. 132) ), the service

defines a set of API operations (see Actions ). To grant permissions for these API operations, Amazon

RDS defines a set of actions that you can specify in a policy. Note that, performing an API operation can require permissions for more than one action.

The following are the basic policy elements:

Resource – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which the policy applies. For more information, see

Amazon RDS Resources and Operations (p. 132) .

Action – You use action keywords to identify resource operations that you want to allow or deny. For example, the rds:DescribeDBInstances

permission allows the user permissions to perform the

Amazon RDS

DescribeDBInstances

operation.

Effect – You specify the effect when the user requests the specific action—this can be either allow or deny. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access.

Principal – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). Amazon RDS doesn't support resource-based policies.

To learn more about IAM policy syntax and descriptions, see AWS IAM Policy Reference in the IAM User

Guide.

For a table showing all of the Amazon RDS API actions and the resources that they apply to, see

Amazon

RDS API Permissions: Actions, Resources, and Conditions Reference (p. 139)

.

Specifying Conditions in a Policy

When you grant permissions, you can use the access policy language to specify the conditions when a policy should take effect. For example, you might want a policy to be applied only after a specific date.

For more information about specifying conditions in a policy language, see Condition in the IAM User

Guide.

To express conditions, you use predefined condition keys. There are AWS-wide condition keys and

RDS-specific keys that you can use as appropriate. For a complete list of AWS-wide keys, see Available

Keys for Conditions

in the IAM User Guide. For a complete list of RDS-specific keys, see Using IAM

Policy Conditions for Fine-Grained Access Control (p. 139) .

Using Identity-Based Policies (IAM Policies) for

Amazon RDS

This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).

Important

We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Amazon Redshift resources. For more information, see

Overview of Managing Access Permissions to Your Amazon RDS

Resources (p. 132)

.

API Version 2014-10-31

135

Amazon Relational Database Service User Guide

Using Identity-Based Policies (IAM Policies)

The sections in this topic cover the following:

Permissions Required to Use the Amazon RDS Console (p. 137)

AWS Managed (Predefined) Policies for Amazon RDS (p. 137)

Customer Managed Policy Examples (p. 137)

The following shows an example of a permissions policy. The policy allows a user to create DB instances for your AWS account. The policy requires that the name of the new DB instance begin with test

. The new DB instance must also use the MySQL database engine and the db.t2.micro

DB instance class.

{

"Version":"2012-10-17",

"Statement":[

{

"Sid":"AllowMySQLTestCreate",

"Effect":"Allow",

"Action":"rds:CreateDBInstance",

"Resource":"arn:aws:rds:us-west-2:123456789012:db:test*",

"Condition":{

"StringEquals":{

"rds:DatabaseEngine":"mysql",

"rds:DatabaseClass":"db.t2.micro"

}

}

}

]

}

The policy includes a single statement that specifies the following permissions:

• The policy allows the IAM user to create a DB instance using the CreateDBInstance API action (this also applies to the create-db-instance CLI command.

• The DB instance identifier for the new DB instance must begin with test

(for example, testCustomerData1

, test-region2-data

).

To specify which resources the user can perform the actions on or with, you use the

Resource

element.

You specify resources using an Amazon Resources Name (ARN) that includes the name of the service that the resource belongs to ( rds

), the region ( us-west-2

in this case), the account number, and the type of resource (a DB instance). For more information about creating ARNs, see

Constructing an

Amazon RDS Amazon Resource Name (ARN) (p. 671)

.

• The DB engine must be MySQL and the DB instance class must be db.t2.micro

.

• You can add additional permissions or restrictions by using the

Condition

element, which specifies the conditions when a policy should take effect. For more information about specifying conditions, see

Using IAM Policy Conditions for Fine-Grained Access Control (p. 139) .

The policy doesn't specify the

Principal

element because in an identity-based policy you don't specify the principal who gets the permission. When you attach policy to a user, the user is the implicit principal.

When you attach a permission policy to an IAM role, the principal identified in the role's trust policy gets the permissions.

For a table showing all of the Amazon RDS API actions and the resources that they apply to, see

Amazon

RDS API Permissions: Actions, Resources, and Conditions Reference (p. 139)

.

API Version 2014-10-31

136

Amazon Relational Database Service User Guide

Using Identity-Based Policies (IAM Policies)

Permissions Required to Use the Amazon RDS Console

For a user to work with the Amazon RDS console, that user must have a minimum set of permissions that allows the user to describe the Amazon RDS resources for their AWS account, and other related information including Amazon EC2 security and network information.

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy. To ensure that those users can still use the

Amazon RDS console, also attach the

AmazonRDSReadOnlyAccess

managed policy to the user, as

described in AWS Managed (Predefined) Policies for Amazon RDS (p. 137) .

You don't need to allow minimum console permissions for users that are making calls only to the AWS

CLI or the Amazon RDS API.

AWS Managed (Predefined) Policies for Amazon RDS

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see AWS Managed

Policies in the IAM User Guide.

The following AWS managed policies, which you can attach to users in your account, are specific to

Amazon RDS:

AmazonRDSReadOnlyAccess – Grants read-only access to all Amazon RDS resources for the root

AWS account.

AmazonRDSFullAccess – Grants full access to all Amazon RDS resources for the root AWS account.

You can also create custom IAM policies that allow users to access the required Amazon RDS API actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

Customer Managed Policy Examples

In this section, you can find example user policies that grant permissions for various Amazon RDS actions.

These policies work when you are using the RDS APIs, AWS SDKs, or the AWS CLI. When you are using the console, you need to grant additional permissions specific to the console, which is discussed in

Permissions Required to Use the Amazon RDS Console (p. 137)

.

Note

All examples use the US West (Oregon) Region ( us-west-2

) and contain fictitious account IDs.

Examples

Example 1: Allow a User to Perform Any Describe Action on Any RDS Resource (p. 137)

Example 2: Allow a User to Create a DB Instance that Uses the Specified DB Parameter and Security

Groups (p. 138)

Example 3: Prevent a User from Deleting a DB Instance (p. 138)

Example 1: Allow a User to Perform Any Describe Action on Any RDS

Resource

The following permissions policy grants permissions to a user to run all of the actions that begin with

Describe

. These actions show information about an RDS resource, such as a DB instance. Note that the wildcard character (*) in the

Resource

element indicates that the actions are allowed for all Amazon

RDS resources owned by the account.

API Version 2014-10-31

137

Amazon Relational Database Service User Guide

Using Identity-Based Policies (IAM Policies)

{

"Version":"2012-10-17",

"Statement":[

{

"Sid":"AllowRDSDescribe",

"Effect":"Allow",

"Action":"rds:Describe*",

"Resource":"*"

}

]

}

Example 2: Allow a User to Create a DB Instance that Uses the Specified

DB Parameter and Security Groups

The following permissions policy grants permissions to allow a user to only create a DB instance that must use the mysql-production

DB parameter group and the db-production

DB security group.

{

"Version":"2012-10-17",

"Statement":[

{

"Sid":"AllowMySQLProductionCreate",

"Effect":"Allow",

"Action":"rds:CreateDBInstance",

"Resource":[

"arn:aws:rds:us-west-2:123456789012:pg:mysql-production",

"arn:aws:rds:us-west-2:123456789012:secgrp:db-production"

]

}

]

}

Example 3: Prevent a User from Deleting a DB Instance

The following permissions policy grants permissions to prevents a user from deleting a specific DB instance. For example, you might want to deny the ability to delete your production instances to any user that is not an administrator.

{

"Version":"2012-10-17",

"Statement":[

{

"Sid":"DenyDelete1",

"Effect":"Deny",

"Action":"rds:DeleteDBInstance",

"Resource":"arn:aws:rds:us-west-2:123456789012:db:my-mysql-instance"

}

]

}

API Version 2014-10-31

138

Amazon Relational Database Service User Guide

Amazon RDS API Permissions Reference

Amazon RDS API Permissions: Actions,

Resources, and Conditions Reference

When you are setting up Access Control (p. 132)

and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The list includes each Amazon RDS API operation, the corresponding actions for which you can grant permissions to perform the action, the AWS resource for which you can grant the permissions, and condition keys that you can include for fine-grained access control (for more information about conditions, see

Using IAM

Policy Conditions for Fine-Grained Access Control (p. 139) ).You specify the actions in the policy's

Action field, the resource value in the policy's

Resource

field, and conditions in the policy's

Condition

field.

You can use AWS-wide condition keys in your Amazon RDS policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the rds:

prefix followed by the API operation name (for example, rds:CreateDBInstance

).

Related Topics

Access Control (p. 132)

Using IAM Policy Conditions for Fine-Grained Access Control (p. 139)

Security in Amazon RDS (p. 130)

Using IAM Policy Conditions for Fine-Grained

Access Control

When you grant permissions in Amazon RDS, you can specify conditions that determine how a permissions policy takes effect.

Overview

In Amazon RDS, you have the option to specify conditions when granting permissions using an IAM policy

(see

Access Control (p. 132) ). For example, you can:

• Allow users to create a DB instance only if they specify a particular database engine.

• Allow users to modify RDS resources that are tagged with a particular tag name and tag value.

There are two ways to specify conditions in an IAM policy for Amazon RDS:

• Using Condition Keys

• Using Custom Tags

Specifying Conditions: Using Condition Keys

AWS provides a set of predefined condition keys (AWS-wide condition keys) for all AWS services that support IAM for access control. For example, you can use the aws:MultiFactorAuthPresent

condition key to require Multi-Factor Authentication (MFA) when requesting an action. For more information and a list of the AWS-wide condition keys, see Available Keys for Conditions in the IAM User Guide.

API Version 2014-10-31

139

Amazon Relational Database Service User Guide

Using Conditions

Note

Condition keys are case sensitive.

In addition Amazon RDS also provides its own condition keys that you can include in

Condition

elements in an IAM permissions policy. The following table shows the RDS condition keys that apply to RDS resources.

RDS Condition

Key

Description Value Type

rds:Database-

Class rds:Database-

Name

A type of DB instance class.

rds:DatabaseEngine

A database engine, such as MySQL.

String

String

The user-defined name of the database on the DB instance.

String rds:MultiAz rds:Piops rds:StorageSize

A value that specifies whether the DB instance runs in multiple

Availability Zones. To indicate that the DB instance is using

Multi-AZ, specify 1.

Integer

Integer A value that contains the number of Provisioned IOPS (PI-

OPS) that the instance supports. To indicate a DB instance that does not have PIOPS enabled, specify 0.

The storage volume size (in GB).

Integer rds:Vpc

A value that specifies whether the DB instance runs in an

Amazon Virtual Private Cloud (Amazon VPC). To indicate that the DB instance runs in an Amazon VPC, specify 1.

Boolean

For example, the following

Condition

element uses a condition key and specifies the MySQL database engine. You could apply this to an IAM policy that allows permission to the rds:CreateDBInstance action to enable users to only create DB instances with the MySQL database engine. For an example of an IAM policy that uses this condition, see

Example Policies: Using Condition Keys (p. 140)

.

"Condition":{"StringEquals":{"rds:DatabaseEngine": "mysql" } }

For a list of all of the RDS condition key identifiers and the RDS actions and resources that they apply to, see

Amazon RDS API Permissions: Actions, Resources, and Conditions Reference (p. 139)

.

Example Policies: Using Condition Keys

Following are examples of how you can use condition keys in Amazon RDS IAM permissions policies.

Example 1: Grant Permission to Create a DB Instance that Uses a Specific DB Engine

The following policy uses an RDS condition key and allows a user to create only DB instances that use the MySQL database engine. The

Condition

element indicates the requirement that the database engine is MySQL.

{

"Version":"2012-10-17",

"Statement":[

{

API Version 2014-10-31

140

Amazon Relational Database Service User Guide

Using Conditions

"Sid":"AllowMySQLCreate",

"Effect":"Allow",

"Action":"rds:CreateDBInstance",

"Resource":"*",

"Condition":{

"StringEquals":{

"rds:DatabaseEngine":"mysql"

}

}

}

]

}

Example 2: Explicitly Deny Permission to Create DB Instances for Certain DB Instance

Classes and Create DB Instances that Use Provisioned IOPS

The following policy explicitly denies permission to create DB instances that use the DB instance classes r3.8xlarge

and m4.10xlarge

, which are the largest and most expensive instances. This policy also prevents users from creating DB instances that use Provisioned IOPS, which incurs an additional cost.

Explicitly denying permission supersedes any other permissions granted. This ensures that identities to not accidentally get permission that you never want to grant.

{

"Version":"2012-10-17",

"Statement":[

{

"Sid":"DenyLargeCreate",

"Effect":"Deny",

"Action":"rds:CreateDBInstance",

"Resource":"*",

"Condition":{

"StringEquals":{

"rds:DatabaseClass":[

"db.r3.8xlarge",

"db.m4.10xlarge"

]

}

}

},

{

"Sid":"DenyPIOPSCreate",

"Effect":"Deny",

"Action":"rds:CreateDBInstance",

"Resource":"*",

"Condition":{

"NumericNotEquals":{

"rds:Piops":"0"

}

}

}

]

}

API Version 2014-10-31

141

Amazon Relational Database Service User Guide

Using Conditions

Specifying Conditions: Using Custom Tags

RDS supports specifying conditions in an IAM policy using custom tags.

For example, if you add a tag named environment

to your DB instances with values such as beta

, staging

, production

, and so on, you can create a policy that restricts certain users to DB instances based on the environment

tag value.

Note

Custom tag identifiers are case-sensitive.

The following table lists the RDS tag identifiers that you can use in a

Condition

element.

RDS Tag Identifier

db-tag snapshot-tag ri-tag secgrp-tag og-tag pg-tag subgrp-tag es-tag cluster-tag cluster-pg-tag cluster-snapshot-tag

Applies To

DB instances, including Read Replicas

DB snapshots

Reserved DB instances

DB security groups

DB option groups

DB parameter groups

DB subnet groups

Event subscriptions

DB clusters

DB cluster parameter groups

DB cluster snapshots

The syntax for a custom tag condition is as follows:

"Condition":{"StringEquals":{"rds:

rds-tag-identifier

/

tag-name

": ["

value

"]} }

For example, the following

Condition

element applies to DB instances with a tag named environment and a tag value of production

.

"Condition":{"StringEquals":{"rds:db-tag/environment": ["production"]} }

For information about creating tags, see Tagging Amazon RDS Resources (p. 664)

.

Important

If you manage access to your RDS resources using tagging, we recommend that you secure access to the tags for your RDS resources. You can manage access to tags by creating policies for the

AddTagsToResource

and

RemoveTagsFromResource

actions. For example, the following policy denies users the ability to add or remove tags for all resources. You can then create policies to allow specific users to add or remove tags.

{

"Version":"2012-10-17",

"Statement":[

{

"Sid":"DenyTagUpdates",

API Version 2014-10-31

142

Amazon Relational Database Service User Guide

Using Conditions

"Effect":"Deny",

"Action":[

"rds:AddTagsToResource",

"rds:RemoveTagsFromResource"

],

"Resource":"*"

}

]

}

For a list of all of the condition key values, and the RDS actions and resources that they apply to, see

Amazon RDS API Permissions: Actions, Resources, and Conditions Reference (p. 139)

.

Example Policies: Using Custom Tags

Following are examples of how you can use custom tags in Amazon RDS IAM permissions policies. For more information about adding tags to an Amazon RDS resource, see

Constructing an Amazon RDS

Amazon Resource Name (ARN) (p. 671)

.

Note

All examples use the us-west-2 region and contain fictitious account IDs.

Example 1: Grant Permission for Actions on a Resource with a Specific Tag with Two

Different Values

The following policy allows permission to perform the

ModifyDBInstance

and

CreateDBSnapshot

APIs on instances with either the stage

tag set to development

or test

.

{

"Version":"2012-10-17",

"Statement":[

{

"Sid":"AllowDevTestCreate",

"Effect":"Allow",

"Action":[

"rds:ModifyDBInstance",

"rds:CreateDBSnapshot"

],

"Resource":"*",

"Condition":{

"StringEquals":{

"rds:db-tag/stage":[

"development",

"test"

]

}

}

}

]

}

Example 2: Explicitly Deny Permission to Create a DB Instance that Uses Specified DB

Parameter Groups

The following policy explicitly denies permission to create a DB instance that uses DB parameter groups with specific tag values. You might apply this policy if you require that a specific customer-created DB

API Version 2014-10-31

143

Amazon Relational Database Service User Guide

Using Conditions

parameter group always be used when creating DB instances. Note that policies that use

Deny

are most often used to restrict access that was granted by a broader policy.

Explicitly denying permission supersedes any other permissions granted. This ensures that identities to not accidentally get permission that you never want to grant.

{

"Version":"2012-10-17",

"Statement":[

{

"Sid":"DenyProductionCreate",

"Effect":"Deny",

"Action":"rds:CreateDBInstance",

"Resource":"*",

"Condition":{

"StringEquals":{

"rds:pg-tag/usage":"prod"

}

}

}

]

}

Example 3: Grant Permission for Actions on a DB Instance with an Instance Name that is

Prefixed with a User Name

The following policy allows permission to call any API (except to

AddTagsToResource

or

RemoveTagsFromResource

) on a DB instance that has a DB instance name that is prefixed with the user's name and that has a tag called stage

equal to devo

or that has no tag called stage

.

The

Resource

line in the policy identifies a resource by its Amazon Resource Name (ARN). For more

information about using ARNs with Amazon RDS resources, see Constructing an Amazon RDS Amazon

Resource Name (ARN) (p. 671) .

{

"Version":"2012-10-17",

"Statement":[

{

"Sid":"AllowFullDevAccessNoTags",

"Effect":"Allow",

"NotAction":[

"rds:AddTagsToResource",

"rds:RemoveTagsFromResource"

],

"Resource":"arn:aws:rds:*:123456789012:db:${aws:username}*",

"Condition":{

"StringEqualsIfExists":{

"rds:db-tag/stage":"devo"

}

}

}

]

}

API Version 2014-10-31

144

Amazon Relational Database Service User Guide

Encrypting Amazon RDS Resources

Related Topics

Access Control (p. 132)

Amazon RDS API Permissions: Actions, Resources, and Conditions Reference (p. 139)

Security in Amazon RDS (p. 130)

Encrypting Amazon RDS Resources

You can encrypt your Amazon RDS instances and snapshots at rest by enabling the encryption option for your Amazon RDS DB instance. Data that is encrypted at rest includes the underlying storage for a

DB instance, its automated backups, Read Replicas, and snapshots.

Amazon RDS encrypted instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS instance. Once your data is encrypted, Amazon

RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You don't need to modify your database client applications to use encryption.

Amazon RDS encrypted instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. You can use Amazon RDS encryption to increase data protection of your applications deployed in the cloud, and to fulfill compliance requirements for data-at-rest encryption.

Amazon RDS encrypted instances are currently available for all database engines.

Amazon RDS also supports encrypting an Oracle or SQL Server DB instance with Transparent Data

Encryption (TDE). TDE can be used in conjunction with encryption at rest, although using TDE and encryption at rest simultaneously might slightly affect the performance of your database.You must manage

different keys for each encryption method. For more information on TDE, see Oracle Transparent Data

Encryption (TDE) (p. 303)

,

Appendix: Using AWS CloudHSM to Store Amazon RDS Oracle TDE

Keys (p. 342) , or

SQL Server Transparent Data Encryption (p. 446)

.

To manage the keys used for encrypting and decrypting your Amazon RDS resources, you use the AWS

Key Management Service (AWS KMS) . AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Using AWS KMS, you can create encryption keys and define the policies that control how these keys can be used. AWS KMS supports

CloudTrail, so you can audit key usage to verify that keys are being used appropriately. Your AWS KMS keys can be used in combination with Amazon RDS and supported AWS services such as Amazon Simple

Storage Service (Amazon S3), Amazon Elastic Block Store (Amazon EBS), and Amazon Redshift. For a list of services that support AWS KMS, go to Supported Services in the AWS Key Management Service

Developer Guide.

All logs, backups, and snapshots are encrypted for an Amazon RDS encrypted instance. A Read Replica of an Amazon RDS encrypted instance is also encrypted using the same key as the master instance.

Enabling Amazon RDS Encryption for a DB

Instance

To enable encryption for a new DB instance, select

Yes

in the Enable encryption dropdown in the

Amazon RDS console. For information on creating a DB instance, see one of the following topics:

Creating a DB Instance Running the MySQL Database Engine (p. 188)

Creating a DB Instance Running the Oracle Database Engine (p. 272)

Creating a DB Instance Running the SQL Server Database Engine (p. 405)

API Version 2014-10-31

145

Amazon Relational Database Service User Guide

Availability of Amazon RDS Encrypted Instances

Creating a DB Instance Running the PostgreSQL Database Engine (p. 464)

Creating an Amazon Aurora DB Cluster (p. 505)

Creating a DB Instance Running the MariaDB Database Engine (p. 579)

If you use the create-db-instance AWS CLI command to create an encrypted RDS DB instance, set the

--storage-encrypted

parameter to true. If you use the CreateDBInstance API action, set the

StorageEncrypted

parameter to true.

When you create an encrypted DB instance, you can also supply the AWS KMS key identifier for your encryption key. If you don't specify an AWS KMS key identifier, then Amazon RDS will use your default encryption key for your new DB instance. AWS KMS creates your default encryption key for Amazon

RDS for your AWS account. Your AWS account has a different default encryption key for each AWS region.

Once you have created an encrypted DB instance, you cannot change the encryption key for that instance,

Therefore, be sure to determine your encryption key requirements before you create your encrypted DB instance.

If you use the AWS CLI create-db-instance

command to create an encrypted RDS DB instance, set the

--kms-key-id

parameter to the Amazon Resource Name (ARN) for the AWS KMS encryption key for the DB instance. If you use the Amazon RDS API

CreateDBInstance

action, set the

KmsKeyId parameter to the ARN for your AWS KMS key for the DB instance.

You can use the ARN of a key from another account to encrypt an RDS DB instance. If you create a DB instance with the same AWS account that owns the AWS KMS encryption key used to encrypt that new

DB instance, the AWS KMS key ID that you pass can be the AWS KMS key alias instead of the key's

ARN.

Important

If Amazon RDS loses access to the encryption key for a DB instance—for example, when Amazon

RDS access to a key is revoked—then the encrypted DB instance is placed into a terminal state and can only be restored from a backup. We strongly recommend that you always enable backups for encrypted DB instances to guard against the loss of encrypted data in your databases.

Availability of Amazon RDS Encrypted Instances

Amazon RDS encrypted instances are currently available for all database engines. Amazon RDS encryption is not currently available in the China (Beijing) region.

Amazon RDS encryption is available for all storage types and the following DB instance classes:

Instance Type

General Purpose (M4)—Current Generation

Instance Class

db.m4.large

db.m4.xlarge

db.m4.2xlarge

db.m4.4xlarge

db.m4.10xlarge

API Version 2014-10-31

146

Amazon Relational Database Service User Guide

Managing Amazon RDS Encryption Keys

Instance Type

Memory Optimized (R3)—Current Generation

Burst Capable (T2)—Current Generation

Memory Optimized—Previous Generation (CR1)

General Purpose (M3)—Previous Generation

Instance Class

db.r3.large

db.r3.xlarge

db.r3.2xlarge

db.r3.4xlarge

db.r3.8xlarge

db.t2.large

db.cr1.8xlarge

db.m3.medium

db.m3.large

db.m3.xlarge

db.m3.2xlarge

Note

Encryption at rest is not available for SQL Server Express Edition (sqlserver-ex) DB instances because sqlserver-ex is not supported on the DB instance classes that support encryption at rest.

Managing Amazon RDS Encryption Keys

You can manage keys used for Amazon RDS encrypted instances using the AWS Key Management

Service (AWS KMS) in the IAM console. If you want full control over a key, then you must create a customer-managed key. You cannot delete, revoke, or rotate default keys provisioned by AWS KMS.

You can view audit logs of every action taken with a customer-managed key by using AWS CloudTrail .

Important

If you disable the key for an encrypted DB instance, you cannot read from or write to that DB instance. When Amazon RDS encounters a DB instance encrypted by a key that Amazon RDS does not have access to, Amazon RDS puts the DB instance into a terminal state where the DB instance is no longer available and the current state of the database cannot be recovered. In order to restore the DB instance, you must re-enable access to the encryption key for Amazon

RDS, and then restore the DB instance from a backup.

Limitations of Amazon RDS Encrypted Instances

The following limitations exist for Amazon RDS encrypted instances:

• You can only enable encryption for an RDS DB instance when you create it, not after the DB instance is created.

• Existing DB instances that are not encrypted cannot be modified to enable encryption.

• DB instances that are encrypted cannot be modified to disable encryption.

• You cannot have an encrypted Read Replica of an unencrypted DB instance or an unencrypted Read

Replica of an encrypted DB instance.

• Encrypted Read Replicas must be encrypted with the same key as the source DB instance.

• You cannot restore an unencrypted backup or snapshot to an encrypted DB instance.

API Version 2014-10-31

147

Amazon Relational Database Service User Guide

Using SSL to Encrypt a Connection

• You cannot restore an encrypted MySQL DB snapshot to an Amazon Aurora DB cluster or any MySQL

DB snapshot to an encrypted Aurora DB cluster.

• Because KMS encryption keys are specific to the region that they are created in, you cannot copy an encrypted snapshot from one region to another or replicate encrypted DB instances across regions.

• Because KMS encryption keys are specific to the region that they are created in, you cannot replicate encrypted DB instances across regions.

Using SSL to Encrypt a Connection to a DB

Instance

You can use SSL from your application to encrypt a connection to a DB instance running MySQL, MariaDB,

Amazon Aurora, SQL Server, Oracle, or PostgreSQL. Each DB engine has its own process for implementing

SSL. To learn how to implement SSL for your DB instance, use the link following that corresponds to your

DB engine:

Using SSL with a MySQL DB Instance (p. 180)

Securing Aurora Data with SSL (p. 500)

Using SSL with an Oracle DB Instance (p. 269)

Using SSL with a SQL Server DB Instance (p. 395)

Using SSL with a PostgreSQL DB Instance (p. 461)

Using SSL with a MariaDB DB Instance (p. 572)

A root certificate that works for all regions can be downloaded here . It is the trusted root entity and should work in most cases but might fail if your application does not accept certificate chains. If your application does not accept certificate chains, download the region-specific certificate from the list of intermediate certificates found later in this section.

A certificate bundle that contains both the old and new root certificates can be downloaded here .

If your application is on the Microsoft Windows platform and requires a PKCS7 file, you can download the PKCS7 certificate bundle that contains both the old and new certificates here .

Intermediate certificates

If you need an intermediate certificate for a particular region, download the certificate by selecting the region the DB instance resides in from the following list:

Asia Pacific (Tokyo)

Asia Pacific (Seoul)

Asia Pacific (Singapore)

Asia Pacific (Sydney)

EU (Frankfurt)

EU (Ireland)

South America (São Paulo)

US East (N. Virginia)

API Version 2014-10-31

148

Amazon Relational Database Service User Guide

Amazon RDS Security Groups

US West (N. California)

US West (Oregon)

China (Beijing)

Amazon RDS Security Groups

Security groups control the access that traffic has in and out of a DB instance. Three types of security groups are used with Amazon RDS: DB security groups, VPC security groups, and EC2 security groups.

In simple terms, a DB security group controls access to a DB instance that is not in a VPC, a VPC security group controls access to a DB instance (or other AWS instances) inside a VPC, and an EC2 security group controls access to an EC2 instance.

By default, network access is turned off to a DB instance. You can specify rules in a security group that allows access from an IP address range, port, or EC2 security group. Once ingress rules are configured, the same rules apply to all DB instances that are associated with that security group. You can specify up to 20 rules in a security group.

DB Security Groups

Each DB security group rule enables a specific source to access a DB instance that is associated with that DB security group. The source can be a range of addresses (e.g., 203.0.113.0/24), or an EC2 security group. When you specify an EC2 security group as the source, you allow incoming traffic from all EC2 instances that use that EC2 security group. Note that DB security group rules apply to inbound traffic only; outbound traffic is not currently permitted for DB instances.

You do not need to specify a destination port number when you create DB security group rules; the port number defined for the DB instance is used as the destination port number for all rules defined for the

DB security group. DB security groups can be created using the Amazon RDS APIs or the Amazon RDS page of the AWS Management Console.

For more information about working with DB security groups, see Working with DB Security Groups (p. 740)

.

VPC Security Groups

Each VPC security group rule enables a specific source to access a DB instance in a VPC that is associated with that VPC security group. The source can be a range of addresses (e.g., 203.0.113.0/24), or another

VPC security group. By specifying a VPC security group as the source, you allow incoming traffic from all instances (typically application servers) that use the source VPC security group. VPC security groups can have rules that govern both inbound and outbound traffic, though the outbound traffic rules do not apply to DB instances. Note that you must use the Amazon EC2 API or the Security Group option on the VPC Console to create VPC security groups.

DB instances deployed within a VPC can be configured to be accessible from the Internet or from EC2 instances outside the VPC. If a VPC security group specifies a port access such as TCP port 22, you would not be able to access the DB instance because the firewall for the DB instance provides access only via the IP addresses specified by the DB security groups the instance is a member of and the port defined when the DB instance was created.

You should use TCP as the protocol for any VPC security group created to control access to a DB instance.

The port number for the VPC security group should be the same port number as that used to create the

DB instance.

API Version 2014-10-31

149

Amazon Relational Database Service User Guide

DB Security Groups vs. VPC Security Groups

DB Security Groups vs. VPC Security Groups

The following table shows the key differences between DB security groups and VPC security groups.

DB Security Group VPC Security Group

Controls access to DB instances outside a VPC Controls access to DB instances in VPC.

Uses Amazon RDS APIs or Amazon RDS page of the AWS Management Console to create and manage group/rules

Uses Amazon EC2 APIs or Amazon VPC page of the

AWS Management Console to create and manage group/rules.

When you add a rule to a group, you do not need to specify port number or protocol.

When you add a rule to a group, you should specify the protocol as TCP, and specify the same port number that you used to create the DB instances (or Options) you plan to add as members to the group.

Groups allow access from EC2 security groups in your AWS account or other accounts.

Groups allow access from other VPC security groups in your VPC only.

Security Group Scenario

A common use of an RDS instance in a VPC is to share data with an application server running in an

EC2 instance in the same VPC and that is accessed by a client application outside the VPC. For this scenario, you would do the following to create the necessary instances and security groups. You can use the RDS and VPC pages on the AWS Console or the RDS and EC2 APIs.

1. Create a VPC security group (for example, "sg-appsrv1") and define inbound rules that use as source the IP addresses of the client application. This security group allows your client application to connect to EC2 instances in a VPC that uses this security group.

2. Create an EC2 instance for the application and add the EC2 instance to the VPC security group

("sg-appsrv1") you created in the previous step. The EC2 instance in the VPC shares the VPC security group with the DB instance.

3. Create a second VPC security group (for example, "sg-dbsrv1") and create a new rule by specifying the VPC security group you created in step 1 ("sg-appsrv1") as the source.

4. Create a new DB instance and add the DB instance to the VPC security group ("sg-dbsrv1") you created in the previous step. When you create the instance, use the same port number as the one specified for the VPC security group ("sg-dbsrv1") rule you created in step 3.

The following diagram shows this scenario.

API Version 2014-10-31

150

Amazon Relational Database Service User Guide

Delete DB VPC security groups

For more information on working with DB security groups, see

Working with DB Security Groups (p. 740)

.

Delete DB VPC security groups

DB VPC security groups are an RDS mechanism to synchronize security information with a VPC security group. However, this synchronization is no longer required as RDS has been updated to use VPC security group information directly.

We strongly recommend that you delete any DB VPC security groups that you are currently using. If you do not delete your DB VPC security groups, you may encounter unintended behaviors with your RDS DB instances which can be as severe as losing access to a DB instance. The unintended behaviors are a result of an action such as an update to a DB instance, an option group, and so on which causes RDS to re-synchronize the DB VPC security group with the VPC security group. This re-synchronization can result your security information being overwritten with incorrect and outdated security information and severely impact your access to your RDS DB instances.

How can I determine if I have a DB VPC security group?

Because DB VPC security groups have been deprecated, they do not show in the RDS Console. However, you can call the describe-db-security-groups AWS CLI command or the DescribeDBSecurityGroups API action to determine if you have any VPC DB security groups.

If you call the describe-db-security-groups

CLI command with JSON specified as the output format, then you can identify DB VPC security groups by the VPC identifier on the second line of the output for the security group as shown in the following example.

{

"DBSecurityGroups": [

{

"VpcId": "vpc-abcd1234",

"DBSecurityGroupDescription": "default:vpc-abcd1234",

"IPRanges": [

{

"Status": "authorized",

"CIDRIP": "xxx.xxx.xxx.xxx/n"

API Version 2014-10-31

151

Amazon Relational Database Service User Guide

Delete DB VPC security groups

},

{

"Status": "authorized",

"CIDRIP": "xxx.xxx.xxx.xxx/n "

}

],

"OwnerId": "123456789012",

"EC2SecurityGroups": [],

"DBSecurityGroupName": "default:vpc-abcd1234"

}

]

}

If you execute the

DescribeDBSecurityGroups

API action, then you can identify DB VPC security groups using the <VpcId> response element as shown in the following example.

<DBSecurityGroup>

<EC2SecurityGroups/>

<DBSecurityGroupDescription>default:vpc-abcd1234</DBSecurityGroupDescription>

<IPRanges>

<IPRange>

<CIDRIP>xxx.xxx.xxx.xxx/n</CIDRIP>

<Status>authorized</Status>

</IPRange>

<IPRange>

<CIDRIP>xxx.xxx.xxx.xxx/n</CIDRIP>

<Status>authorized</Status>

</IPRange>

</IPRanges>

<VpcId>vpc-abcd1234</VpcId>

<OwnerId>123456789012</OwnerId>

<DBSecurityGroupName>default:vpc-abcd1234</DBSecurityGroupName>

</DBSecurityGroup>

How do I delete a DB VPC security group?

Because DB VPC security groups do not show in the RDS Console, you must call the delete-db-security-group AWS CLI command or the DeleteDBSecurityGroup API action to delete a VPC

DB security group.

After you delete a DB VPC security group, your DB instances in your VPC will continue to be secured by the VPC security group for that VPC. The DB VPC security group that was deleted was merely a copy of the VPC security group information.

Review your AWS CloudFormation templates

Older versions of AWS CloudFormation templates can contain instructions to create a DB VPC security group. Because DB VPC security groups are not yet fully deprecated they can still be created. Make sure that any AWS CloudFormation templates that you use to provision a DB instance with security settings do not also create a DB VPC security group. Do not use AWS CloudFormation templates that create an

RDS

DBSecurityGroup

with an

EC2VpcId

as shown in the following example.

"DbSecurityByEC2SecurityGroup" : {

Type" : "AWS::RDS::DBSecurityGroup",

API Version 2014-10-31

152

Amazon Relational Database Service User Guide

Master User Account Privileges

"Properties" : {

"GroupDescription" : "Ingress for Amazon EC2 security group",

"EC2VpcId" : { "MyVPC" },

"DBSecurityGroupIngress" : [ {

"EC2SecurityGroupId" : "sg-b0ff1111",

"EC2SecurityGroupOwnerId" : "111122223333"

}, {

"EC2SecurityGroupId" : "sg-ffd722222",

"EC2SecurityGroupOwnerId" : "111122223333"

} ]

}

}

Instead, add security information for your RDS DB instances in a VPC using VPC security groups, as shown in the following example.

"DBInstance" : {

"Type": "AWS::RDS::DBInstance",

"Properties": {

"DBName" : { "Ref" : "DBName" },

"Engine" : "MySQL",

"MultiAZ" : { "Ref": "MultiAZDatabase" },

"MasterUsername" : { "Ref" : "

<master_username>

" },

"DBInstanceClass" : { "Ref" : "DBClass" },

"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },

"MasterUserPassword": { "Ref" : "

<master_password>

" },

"VPCSecurityGroups" : [ { "Fn::GetAtt": [ "VPCSecurityGroup", "GroupId" ]

} ]

}

Master User Account Privileges

When you create a new DB instance, the default master user that you use gets certain privileges for that

DB instance. The following table shows the privileges the master user gets for each of the database engines.

Database Engine

System Privilege

Amazon

Aurora,

MySQL,

MariaDB

SELECT, INSERT, UPDATE, DELETE, CREATE,

DROP, RELOAD, PROCESS, REFERENCES, INDEX,

ALTER, SHOW DATABASES, CREATE TEMPORARY

TABLES, LOCK TABLES, EXECUTE, REPLICATION

CLIENT, CREATE VIEW, SHOW VIEW, CREATE

ROUTINE, ALTER ROUTINE, CREATE USER, EVENT,

TRIGGER ON *.* WITH GRANT OPTION, REPLICA-

TION SLAVE (Only For Amazon RDS MySQL versions

5.6 and 5.7, Amazon RDS MariaDB, and Amazon Aurora)

Role

API Version 2014-10-31

153

Amazon Relational Database Service User Guide

Related Topics

Database Engine

System Privilege

PostgreSQL

CREATE ROLE, CREATE DB, PASSWORD VALID

UNTIL INFINITY, CREATE EXTENSION, ALTER EX-

TENSION, DROP EXTENSION, CREATE TA-

BLESPACE, ALTER < OBJECT> OWNER, CHECK-

POINT, PG_CANCEL_BACKEND(), PG_TERMIN-

ATE_BACKEND(), SELECT PG_STAT_REPLICATION,

EXECUTE PG_STAT_STATEMENTS_RESET(), OWN

POSTGRES_FDW_HANDLER(), OWN POST-

GRES_FDW_VALIDATOR(), OWN POSTGRES_FDW,

EXECUTE PG_BUFFERCACHE_PAGES(), SELECT

PG_BUFFERCACHE

Role

RDS_SUPERUSER

Oracle ALTER DATABASE LINK, ALTER PUBLIC DATABASE

LINK, DROP ANY DIRECTORY, EXEMPT ACCESS

POLICY, EXEMPT IDENTITY POLICY, GRANT ANY

OBJECT PRIVILEGE, RESTRICTED SESSION, EX-

EMPT REDACTION POLICY (Only For RDS Oracle

11.2.0.4 or later versions)

Microsoft

SQL

Server

ALTER ANY CONNECTION, ALTER ANY LINKED

SERVER, ALTER ANY LOGIN, ALTER SERVER

STATE, ALTER TRACE, CONNECT SQL, CREATE

ANY DATABASE, VIEW ANY DATABASE, VIEW ANY

DEFINITION, VIEW SERVER STATE, ALTER ANY

SERVER ROLE, ALTER ANY USER

AQ_ADMINISTRATOR_ROLE,

AQ_USER_ROLE, CONNECT,

CTXAPP, DBA, EXECUTE_CATA-

LOG_ROLE, RECOVERY_CATA-

LOG_OWNER, RESOURCE, SE-

LECT_CATALOG_ROLE

DB_OWNER (Database Level

Role) PROCESSADMIN(Server

Level Role) SETUPADMIN(Server

Level Role) SQLAgentUser-

Role(Server Level Role)

Related Topics

Working with DB Security Groups (p. 740)

API Version 2014-10-31

154

Amazon Relational Database Service User Guide

Determining Whether You Are Using the EC2-VPC or

EC2-Classic Platform

Virtual Private Clouds (VPCs) and

Amazon RDS

There are two Amazon Elastic Compute Cloud (EC2) platforms that host Amazon RDS DB instances,

EC2-VPC and EC2-Classic. Amazon Virtual Private Cloud (Amazon VPC) lets you launch AWS resources, such as Amazon Relational Database Service (Amazon RDS) DB instances, into a virtual private cloud

(VPC).

Accounts that support only the EC2-VPC platform have a default VPC. All new DB instances are created in the default VPC unless you specify otherwise. If you are a new Amazon RDS customer, if you have never created a DB instance before, or if you are creating a DB instance in a region you have not used before, you are most likely on the EC2-VPC platform and have a default VPC.

Some legacy DB instances on the EC2-Classic platform are not in a VPC. The legacy EC2-Classic platform does not have a default VPC, but as is true for either platform, you can create your own VPC and specify that a DB instance be located in that VPC.

To determine which EC2 platform your account is on in a given region, see Determining Whether You

Are Using the EC2-VPC or EC2-Classic Platform (p. 155)

.

For a list of scenarios involving Amazon RDS DB instances in a VPC and outside of a VPC, see Scenarios for Accessing a DB Instance in a VPC (p. 157) .

For a tutorial that shows you how to create a VPC that you can use with a common Amazon RDS scenario,

see Tutorial: Create an Amazon VPC for Use with an Amazon RDS DB Instance (p. 67)

.

This documentation only discusses VPC functionality relevant to Amazon RDS DB instances. For more information about Amazon VPC, see Amazon VPC Getting Started Guide and Amazon VPC User Guide .

Determining Whether You Are Using the

EC2-VPC or EC2-Classic Platform

Your AWS account and the region you select determines which of the two RDS platforms your DB instance is created on: EC2-Classic or EC2-VPC. The type of platform determines if you have a default VPC, and which type of security group you use to provide access to your DB instance. The legacy EC2-Classic platform is the original platform used by Amazon RDS; if you are on this platform and want to use a VPC,

API Version 2014-10-31

155

Amazon Relational Database Service User Guide

Determining Whether You Are Using the EC2-VPC or

EC2-Classic Platform

you must create the VPC using the Amazon VPC console or Amazon VPC API. Accounts that only support the EC2-VPC platform have a default VPC where all DB instance are created, and you must use either an EC2 or VPC security group to provide access to the DB instance.

Note

If you are a new Amazon RDS customer, if you have never created a DB instance before, or if you are creating a DB instance in a region you have not used before, in almost all cases you are on the EC2-VPC platform and have a default VPC.

You can tell which platform your AWS account in a given region is using by looking at the RDS console or EC2 console home pages. If you are a new Amazon RDS customer, if you have never created a DB instance before, or if you are creating a DB instance in a region you have not used before, you might be redirected to the first-run console page and will not see the home page following.

If Supported Platforms indicates

VPC

, as shown in the screenshot following, your AWS account in the current region uses the EC2-VPC platform, and uses a default VPC. The name of the default VPC is shown below the supported platform. To provide access to a DB instance created on the EC2-VPC platform, you must create a VPC security group.

If Supported Platforms indicates

EC2,VPC

, as shown in the screenshot following, your AWS account in the current region uses the EC2-Classic platform, and you do not have a default VPC. To provide access to a DB instance created on the EC2-Classic platform, you must create a DB security group. Note that you can create a VPC on the EC2-Classic platform, but one is not created for you by default as it is on accounts that support the EC2-VPC platform.

API Version 2014-10-31

156

Amazon Relational Database Service User Guide

Related Topics

Related Topics

Working with an Amazon RDS DB Instance in a VPC (p. 164)

Scenarios for Accessing a DB Instance in a VPC

Amazon RDS supports the following scenarios for accessing a DB instance in a VPC:

DB Instance

In a VPC

Not in a VPC

Accessed By

An EC2 Instance in the Same VPC (p. 157)

An EC2 Instance in a Different VPC (p. 159)

An EC2 Instance Not in a VPC (p. 160)

A Client Application Through the Internet (p. 161)

An EC2 Instance in a VPC (p. 161)

An EC2 Instance Not in a VPC (p. 162)

A Client Application Through the Internet (p. 163)

A DB Instance in a VPC Accessed by an EC2

Instance in the Same VPC

A common use of an RDS instance in a VPC is to share data with an application server that is running in an EC2 instance in the same VPC. This is the user scenario created if you use AWS Elastic Beanstalk to create an EC2 instance and a DB instance in the same VPC.

The following diagram shows this scenario.

API Version 2014-10-31

157

Amazon Relational Database Service User Guide

An EC2 Instance in the Same VPC

The simplest way to manage access between EC2 instances and DB instances in the same VPC is to do the following:

• Create a VPC security group that your DB instances will be in. This security group can be used to restrict access to the DB instances. For example, you can create a custom rule for this security group that allows TCP access using the port you assigned to the DB instance when you created it and an IP address you will use to access the DB instance for development or other purposes.

• Create a VPC security group that your EC2 instances (web servers and clients) will be in. This security group can, if needed, allow access to the EC2 instance from the Internet via the VPC's routing table.

For example, you can set rules on this security group to allow TCP access to the EC2 instance over port 22.

• Create custom rules in the security group for your DB instances that allow connections from the security group you created for your EC2 instances. This would allow any member of the security group to access the DB instances.

For a tutorial that shows you how to create a VPC with both public and private subnets for this scenario,

see Tutorial: Create an Amazon VPC for Use with an Amazon RDS DB Instance (p. 67)

.

To create a rule in a VPC security group that allows connections from another security group, do the following:

1.

Sign in to the AWS Management Console and open the Amazon VPC console at https:// console.aws.amazon.com/vpc .

2.

In the navigation pane, choose Security Groups.

3.

Select or create a security group that you want to allow access to members of another security group.

In the scenario above, this would be the security group you will use for your DB instances. Choose

Add Rule.

4.

From Type, choose All ICMP. In the Source textbox, start typing the ID of the security group; this provides you with a list of security groups. Select the security group with members that you want to have access to the resources protected by this security group. In the scenario above, this would be the security group you will use for your EC2 instance.

5.

Repeat the steps for the TCP protocol by creating a rule with All TCP as the Type and your security group in the Source textbox. If you intend to use the UDP protocol, create a rule with All UDP as the Type and your security group in the Source textbox.

API Version 2014-10-31

158

Amazon Relational Database Service User Guide

An EC2 Instance in a Different VPC

6.

Create a custom TCP rule that permits access via the port you used when you created your DB instance, such as port 3306 for MySQL. Enter your security group or an IP address you will use in the Source textbox.

7.

Choose Save when you are done.

A DB Instance in a VPC Accessed by an EC2

Instance in a Different VPC

When your DB instance is in a different VPC from the EC2 instance you are using to access it, there are several ways to access the DB instance. If the DB instance and EC2 instance are in different VPCs but in the same region, you can use VPC peering. If the DB instance and the EC2 instance are in different regions, you must use the public IP of the DB instance to access it.

The following diagram shows this scenario.

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region. To learn more about VPC peering, see the

VPC documentation .

API Version 2014-10-31

159

Amazon Relational Database Service User Guide

An EC2 Instance Not in a VPC

Use the public IP of the DB instance when you need to connect to a DB instance that is in a different VPC and region from your EC2 instance. The DB instance must allow public access, must be in a public subnet, and the subnet must have an Internet gateway. When you set the

Publicly Accessible

option to

Yes when you create a DB instance, Amazon RDS creates a public subnet for your DB instance.

A DB Instance in a VPC Accessed by an EC2

Instance Not in a VPC

You can communicate between an Amazon RDS DB instance that is in a VPC and an EC2 instance that is not in an Amazon VPC by using ClassicLink. When you use Classic Link, an application on the EC2 instance can connect to the DB instance by using the RDS endpoint for the DB instance. ClassicLink is available at no charge.

The following diagram shows this scenario.

Using ClassicLink, you can connect an EC2 instance to a logically isolated database where you define the IP address range and control the access control lists (ACLs) to manage network traffic. You don't have to use public IP addresses or tunneling to communicate with the DB instance in the VPC. This arrangement provides you with higher throughput and lower latency connectivity for inter-instance communications.

Note

The DB instance must be in a private subnet that is not open to the public (that is, it cannot be set to publicly accessible).

To enable ClassicLink between a DB instance in a VPC and an EC2 instance not in a VPC

1.

Sign in to the AWS Management Console and open the Amazon VPC console at https:// console.aws.amazon.com/vpc .

2.

In the navigation pane, choose Your VPCs.

3.

For VPC, choose the VPC used by the DB instance.

4.

For Actions menu, choose Enable ClassicLink. In the confirmation dialog box, choose Yes, Enable.

5.

On the EC2 console, select the EC2 instance you want to connect to the DB instance in the VPC.

6.

For Actions menu, choose ClassicLink, and then choose Link to VPC.

7.

On the Link to VPC page, choose the security group you want to use, and then choose Link to VPC.

API Version 2014-10-31

160

Amazon Relational Database Service User Guide

A Client Application Through the Internet

A DB Instance in a VPC Accessed by a Client

Application Through the Internet

To access a DB instance in a VPC from a client application through the internet, you configure a VPC with a single public subnet, and an Internet gateway to enable communication over the Internet.

The following diagram shows this scenario.

We recommend the following configuration:

• A VPC of size /16 (for example CIDR: 10.0.0.0/16). This size provides 65,536 private IP addresses.

• A subnet of size /24 (for example CIDR: 10.0.0.0/24). This size provides 256 private IP addresses.

• An Internet gateway which connects the VPC to the Internet and to other AWS products.

• An instance with a private IP address in the subnet range (for example: 10.0.0.6), which enables the instance to communicate with other instances in the VPC, and an Elastic IP address (for example:

198.51.100.2), which enables the instance to be reached from the Internet.

• A route table entry that enables instances in the subnet to communicate with other instances in the

VPC, and a route table entry that enables instances in the subnet to communicate directly over the

Internet.

For more information, see scenario 1 in the VPC documentation .

A DB Instance Not in a VPC Accessed by an EC2

Instance in a VPC

In the case where you have an EC2 instance in a VPC and an RDS DB instance not in a VPC, you can connect them over the public Internet.

The following diagram shows this scenario.

API Version 2014-10-31

161

Amazon Relational Database Service User Guide

An EC2 Instance Not in a VPC

Note

ClassicLink, as described in A DB Instance in a VPC Accessed by an EC2 Instance Not in a

VPC (p. 160)

, is not available for this scenario.

To connect your DB instance and your EC2 instance over the public Internet, do the following:

• Ensure that the EC2 instance is in a public subnet in the VPC.

• Ensure that the RDS DB instance was marked as publicly accessible.

• A note about network ACLs here. A network ACL is like a firewall for your entire subnet. Therefore, all instances in that subnet are subject to network ACL rules. By default, network ACLs allow all traffic and you generally don’t need to worry about them, unless you particularly want to add rules as an extra layer of security. A security group, on the other hand, is associated with individual instances, and you do need to worry about security group rules.

• Add the necessary ingress rules to the DB security group for the RDS DB instance.

An ingress rule specifies a network port and a CIDR/IP range. For example, you can add an ingress rule that allows port 3306 to connect to a MySQL RDS DB instance, and a CIDR/IP range of

203.0.113.25/32

. For more information, see Authorizing Network Access to a DB Security Group from an IP Range (p. 746)

.

A DB Instance Not in a VPC Accessed by an EC2

Instance Not in a VPC

When neither your DB instance nor an application on an EC2 instance are in a VPC, you can access the

DB instance by using its endpoint and port.

The following diagram shows this scenario.

API Version 2014-10-31

162

Amazon Relational Database Service User Guide

A Client Application Through the Internet

You must create a DB security group for the instance that permits access from the port you specified when creating the instance. For example, you could use a connection string similar to this connection string used with sqlplus to access an Oracle DB instance:

PROMPT>sqlplus '[email protected](DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<endpoint>)

(PORT=<port number>))(CONNECT_DATA=(SID=<database name>)))'

For more information, see the following documentation.

Database Engine

Amazon Aurora

MariaDB

Microsoft SQL Server

MySQL

Oracle

PostgreSQL

Relevant Documentation

Connecting to an Amazon Aurora DB Cluster (p. 521)

Connecting to a DB Instance Running the MariaDB Database Engine (p. 589)

Connecting to a DB Instance Running the SQL Server Database Engine (p. 415)

Connecting to a DB Instance Running the MySQL Database Engine (p. 197)

Connecting to a DB Instance Running the Oracle Database Engine (p. 280)

Connecting to a DB Instance Running the PostgreSQL Database Engine (p. 471)

A DB Instance Not in a VPC Accessed by a Client

Application Through the Internet

New Amazon RDS customers can only create a DB instance in a VPC. However, you might need to connect to an existing Amazon RDS DB instance that is not in a VPC from a client application through the Internet.

The following diagram shows this scenario.

API Version 2014-10-31

163

Amazon Relational Database Service User Guide

Working with a DB Instance in a VPC

In this scenario, you must ensure that the DB security group for the RDS DB instance includes the necessary ingress rules for your client application to connect. An ingress rule specifies a network port and a CIDR/IP range. For example, you can add an ingress rule that allows port 3306 to connect to a

MySQL RDS DB instance, and a CIDR/IP range of

203.0.113.25/32

. For more information, see

Authorizing Network Access to a DB Security Group from an IP Range (p. 746) .

Caution

If you intend to access a DB instance behind a firewall, talk with your network administrator to determine the IP addresses you should use.

Working with an Amazon RDS DB Instance in a

VPC

Unless you are working with a legacy DB instance, your DB instance is in a virtual private cloud (VPC).

A virtual private cloud is a virtual network that is logically isolated from other virtual networks in the AWS cloud. Amazon Virtual Private Cloud (Amazon VPC) lets you launch AWS resources, such as an Amazon

Relational Database Service (Amazon RDS) or Amazon Elastic Compute Cloud (Amazon EC2) instance, into a VPC. The VPC can either be a default VPC that comes with your account or one that you create.

All VPCs are associated with your AWS account.

Your default VPC has three subnets you can use to isolate resources inside the VPC. The default VPC also has an Internet Gateway that can be used to provide access to resources inside the VPC from outside the VPC.

For a list of scenarios involving Amazon RDS DB instances in a VPC and outside of a VPC, see Scenarios for Accessing a DB Instance in a VPC (p. 157) .

For a tutorial that shows you how to create a VPC that you can use with a common Amazon RDS scenario,

see Tutorial: Create an Amazon VPC for Use with an Amazon RDS DB Instance (p. 67)

.

To learn how to work with an Amazon RDS DB instances inside a VPC, see the following:

Topics

Working with a DB Instance in a VPC (p. 165)

Working with DB Subnet Groups (p. 165)

Hiding a DB Instance in a VPC from the Internet (p. 166)

Creating a DB Instance in a VPC (p. 167)

Moving a DB Instance Not in a VPC into a VPC (p. 169)

API Version 2014-10-31

164

Amazon Relational Database Service User Guide

Working with a DB Instance in a VPC

Working with a DB Instance in a VPC

Here are some tips on working with a DB instance in a VPC:

• Your VPC must have at least one subnet in at least two of the Availability Zones in the region where you want to deploy your DB instance. A subnet is a segment of a VPC's IP address range that you can specify and that lets you group instances based on your security and operational needs.

• If you want your DB instance in the VPC to be publicly accessible, you must enable the VPC attributes

DNS hostnames and DNS resolution.

• Your VPC must have a DB subnet group that you create (for more information, see the next section).

You create a DB subnet group by specifying the subnets you created. Amazon RDS uses that DB subnet group and your preferred Availability Zone to select a subnet and an IP address within that subnet to assign to your DB instance.

• Your VPC must have a VPC security group that allows access to the DB instance.

• The CIDR blocks in each of your subnets must be large enough to accommodate spare IP addresses for Amazon RDS to use during maintenance activities, including failover and compute scaling.

• A VPC can have an instance tenancy attribute of either default or dedicated. All default VPCs have the instance tenancy attribute set to default, and a default VPC can support any DB instance class.

If you choose to have your DB instance in a dedicated VPC where the instance tenancy attribute is set to dedicated, the DB instance class of your DB instance must be one of the approved Amazon EC2 dedicated instance types. For example, the m3.medium EC2 dedicated instance corresponds to the db.m3.medium DB instance class. For more information about the instance types that can be in a dedicated instance, go to Amazon EC2 Dedicated Instances on the EC2 pricing page. For information about instance tenancy in a VPC, go to Using EC2 Dedicated Instances in the Amazon Virtual Private

Cloud User Guide.

• When an option group is assigned to a DB instance, it is linked to the supported platform the DB instance is on, either VPC or EC2-Classic (non-VPC). Furthermore, if a DB instance is in a VPC, the option group associated with the instance is linked to that VPC. This linkage means that you cannot use the option group assigned to a DB instance if you attempt to restore the instance into a different VPC or onto a different platform.

• If you restore a DB instance into a different VPC or onto a different platform, you must either assign the default option group to the instance, assign an option group that is linked to that VPC or platform, or create a new option group and assign it to the DB instance. Note that with persistent or permanent options, such as Oracle TDE, you must create a new option group that includes the persistent or permanent option when restoring a DB instance into a different VPC.

Working with DB Subnet Groups

Subnets are segments of a VPC's IP address range that you designate to group your resources based on security and operational needs. A DB subnet group is a collection of subnets (typically private) that you create in a VPC and that you then designate for your DB instances. A DB subnet group allows you to specify a particular VPC when creating DB instances using the CLI or API; if you use the console, you can just select the VPC and subnets you want to use.

Each DB subnet group should have subnets in at least two Availability Zones in a given region. If you are using SQL Server with Mirroring with a SQL Server DB instance in a VPC, you must create a DB subnet group that has three subnets in distinct Availability Zones. When creating a DB instance in VPC, you must select a DB subnet group. Amazon RDS uses that DB subnet group and your preferred Availability

Zone to select a subnet and an IP address within that subnet to associate with your DB instance. If the primary DB instance of a Multi-AZ deployment fails, Amazon RDS can promote the corresponding standby and subsequently create a new standby using an IP address of the subnet in one of the other Availability

Zones.

API Version 2014-10-31

165

Amazon Relational Database Service User Guide

Hiding a DB Instance in a VPC from the Internet

When Amazon RDS creates a DB instance in a VPC, it assigns a network interface to your DB instance by using an IP address selected from your DB subnet group. However, we strongly recommend that you use the DNS name to connect to your DB instance because the underlying IP address can change during failover.

Note

For each DB instance that you run in a VPC, you should reserve at least one address in each subnet in the DB subnet group for use by Amazon RDS for recovery actions.

Hiding a DB Instance in a VPC from the Internet

One common Amazon RDS scenario is to have a VPC in which you have an EC2 instance with a public-facing web application and a DB instance with a database that is not publicly accessible. For example, you can create a VPC that has a public subnet and a private subnet. Amazon EC2 instances that function as web servers can be deployed in the public subnet, and the Amazon RDS DB instances are deployed in the private subnet. In such a deployment, only the web servers have access to the DB instances. For an illustration of this scenario, see

A DB Instance in a VPC Accessed by an EC2 Instance in the Same VPC (p. 157)

.

When you launch a DB instance inside a VPC, you can designate whether the DB instance you create has a DNS that resolves to a public IP address by using the PubliclyAccessible parameter. This parameter lets you designate whether there is public access to the DB instance. Note that access to the DB instance is ultimately controlled by the security group it uses, and that public access is not permitted if the security group assigned to the DB instance does not permit it.

You can modify a DB instance to turn on or off public accessibility by modifying the PubliclyAccessible parameter. This parameter is modified just like any other DB instance parameter. For more information, see the modifying section for your DB engine.

The following illustration shows the Publicly Accessible option in the Launch DB Instance Wizard.

API Version 2014-10-31

166

Amazon Relational Database Service User Guide

Creating a DB Instance in a VPC

Creating a DB Instance in a VPC

The following procedures help you create a DB instance in a VPC. If your account has a default VPC, you can begin with step 3 because the VPC and DB subnet group have already been created for you. If your AWS account does not have a default VPC, or if you do not have a default VPC in a particular region,

you can create a new VPC. If you don't know if you have a default VPC, see Determining Whether You

Are Using the EC2-VPC or EC2-Classic Platform (p. 155)

Note

If you want your DB instance in the VPC to be publicly accessible, you must update the DNS information for the VPC by enabling the VPC attributes DNS hostnames and DNS resolution.

For information about updating the DNS information for a VPC instance, see Updating DNS

Support for Your VPC .

Follow these steps to create a DB instance in a VPC.

Step 1: Create a VPC (p. 167)

Step 2: Add Subnets to the VPC (p. 167)

Step 3: Create a DB Subnet Group (p. 167)

Step 4: Create a VPC Security Group (p. 168)

Step 5: Create a DB Instance in the VPC (p. 168)

Step 1: Create a VPC

If your AWS account does not have a default VPC or if you want to create an additional VPC, follow the

instructions for creating a new VPC. See Create a VPC with Private and Public Subnets (p. 68)

in the

Amazon RDS documentation, or see Step 1: Create a VPC in the Amazon VPC documentation.

Step 2: Add Subnets to the VPC

Once you have created a VPC, you need to create a subnet in the VPC in at least two of the Availability

Zones of the region where the VPC exists. You will use these subnets when you create a DB subnet group. Note that if you have a default VPC, a subnet is automatically created for you in each Availability

Zone in the region.

For instructions on how to create subnets in a VPC, see

Create a VPC with Private and Public

Subnets (p. 68)

in the Amazon RDS documentation, or see Subnets in Your VPC in the Amazon VPC documentation.

Step 3: Create a DB Subnet Group

A DB subnet group is a collection of subnets (typically private) that you create for a VPC and that you then designate for your DB instances. A DB subnet group allows you to specify a particular VPC when you create DB instances using the CLI or API. If you use the Amazon RDS console, you can just select the VPC and subnets you want to use. Each DB subnet group must have at least one subnet in at least two Availability Zones in the region.

Note

For a DB instance to be publicly accessible, the subnets in the DB subnet group must have an

Internet gateway. For more information about Internet gateways for subnets, go to Internet

Gateways in the Amazon VPC documentation.

When you create a DB instance in a VPC, you must select a DB subnet group. Amazon RDS then uses that DB subnet group and your preferred Availability Zone to select a subnet and an IP address within that subnet. Amazon RDS creates and associates an Elastic Network Interface to your DB instance with that IP address. For Multi-AZ deployments, defining a subnet for two or more Availability Zones in a region

API Version 2014-10-31

167

Amazon Relational Database Service User Guide

Creating a DB Instance in a VPC

allows Amazon RDS to create a new standby in another Availability Zone should the need arise. You need to do this even for Single-AZ deployments, just in case you want to convert them to Multi-AZ deployments at some point.

In this step, you create a DB subnet group and add the subnets you created for your VPC.

AWS Management Console

To create a DB subnet group

1.

Open the Amazon RDS console at https://console.aws.amazon.com/rds/ .

2.

In the navigation pane, choose Subnet Groups.

3.

Choose Create DB Subnet Group.

4.

For Name, type the name of your DB subnet group.

5.

For Description, type a description for your DB subnet group.

6.

For VPC ID, choose the VPC that you created.

7.

In the Add Subnet(s) to this Subnet Group section, click the add all the subnets link.

8.

Choose Yes, Create, and then choose Close.

Your new DB subnet group appears in the DB subnet groups list on the RDS console. You can click the DB subnet group to see details, including all of the subnets associated with the group, in the details pane at the bottom of the window.

Step 4: Create a VPC Security Group

Before you create your DB instance, you must create a VPC security group to associate with your DB instance. For instructions on how to create a security group for your DB instance, see

Create a VPC

Security Group for a Private Amazon RDS DB Instance (p. 74) in the Amazon RDS documentation, or

see Security Groups for Your VPC in the Amazon VPC documentation.

Step 5: Create a DB Instance in the VPC

In this step, you create a DB instance and use the VPC name, the DB subnet group, and the VPC security group you created in the previous steps.

API Version 2014-10-31

168

Amazon Relational Database Service User Guide

Moving a DB Instance Not in a VPC into a VPC

Note

If you want your DB instance in the VPC to be publicly accessible, you must enable the VPC attributes DNS hostnames and DNS resolution. For information on updating the DNS information for a VPC instance, see Updating DNS Support for Your VPC .

For details on how to create a DB instance for your DB engine, see the topic following that discusses your DB engine. For each engine, when prompted in the Launch DB Instance Wizard, enter the VPC name, the DB subnet group, and the VPC security group you created in the previous steps.

Database Engine

Amazon Aurora

MariaDB

Microsoft SQL Server

MySQL

Oracle

PostgreSQL

Relevant Documentation

Creating an Amazon Aurora DB Cluster (p. 505)

Creating a DB Instance Running the MariaDB Database Engine (p. 579)

Creating a DB Instance Running the SQL Server Database Engine (p. 405)

Creating a DB Instance Running the MySQL Database Engine (p. 188)

Creating a DB Instance Running the Oracle Database Engine (p. 272)

Creating a DB Instance Running the PostgreSQL Database Engine (p. 464)

Moving a DB Instance Not in a VPC into a VPC

The following procedures help you move a DB instance that is not in a VPC into a VPC. For example, if you have a db.t1 DB instance that is not in a VPC, and you want to move it to a db.t2 DB instance class

(which requires a VPC), you follow these steps.

Step 1: Create a VPC (p. 167)

Step 2: Add Subnets to the VPC (p. 167)

Step 3: Create a DB Subnet Group (p. 167)

Step 4: Create a VPC Security Group (p. 168)

• Step 5: Creating a DB snapshot of the current DB instance that you want to move into a VPC

Note that this operation requires that your database be offline because you are restoring a snapshot of your database. You either must stop write operations to the database or apply the transaction logs after restoring the DB instance.

To create a DB snapshot, follow the instructions in Creating a DB Snapshot (p. 678)

.

• Step 6: Restoring the DB snapshot and specifying the VPC, DB subnet group, and VPC security group you want to use.

For more information about restoring from a DB snapshot, see

Restoring From a DB Snapshot (p. 680)

Note

When you move a DB instance into a VPC, you cannot use a custom option group that is assigned to a DB instance that is not in a VPC. Option groups are platform-specific, and moving from a non-VPC to a VPC is a change in platform. To use a custom option group in this case, assign the default option group to the DB instance, assign to the DB instance an option group that is used by other DB instances in the VPC you are moving to, or create a new option group and assign it to the DB instance.

API Version 2014-10-31

169

Amazon Relational Database Service User Guide

Limits in Amazon RDS

Limits for Amazon RDS

This topic describes the resource limits and naming constraints for Amazon RDS.

Topics

Limits in Amazon RDS (p. 170)

Naming Constraints in Amazon RDS (p. 171)

File Size Limits in Amazon RDS (p. 173)

Limits in Amazon RDS

Each AWS account has limits, per region, on the number of Amazon RDS resources that can be created.

Once a limit for a resource has been reached, additional calls to create that resource will fail with an exception.

The following table lists the resources and their limits per region.

Resource

Clusters

Cluster parameter groups

Instances

Reserved instances (purchased per month)

Total storage for all DB instances

Manual snapshots

Manual cluster snapshots

Parameter groups

Security groups

Rules per security group

Subnet groups

Default Limit

40

50

40

40

25

20

20

100 TB

50

50

50

API Version 2014-10-31

170

Amazon Relational Database Service User Guide

Naming Constraints in Amazon RDS

Resource

Subnets per subnet group

Option groups

Event subscriptions

Read replicas per master

Default Limit

20

20

20

5

Naming Constraints in Amazon RDS

The following table describes naming constraints in Amazon RDS.

DB instance identifier • Must contain from 1 to 63 alphanumeric characters or hyphens (1 to 15 for SQL Server).

• First character must be a letter.

• Cannot end with a hyphen or contain two consecutive hyphens.

• Must be unique for all DB instances per AWS account, per region.

Database name Database name constraints differ for each database engine.

MySQL, Amazon Aurora, and MariaDB

• Must contain 1 to 64 alphanumeric characters.

• Cannot be a word reserved by the database engine.

PostgreSQL

• Must contain 1 to 63 alphanumeric characters.

• Must begin with a letter or an underscore. Subsequent characters can be letters, underscores, or digits (0-9).

• Cannot be a word reserved by the database engine.

Oracle

• Cannot be longer than 8 characters.

SQL Server

• Not applicable.

API Version 2014-10-31

171

Master user name

Amazon Relational Database Service User Guide

Naming Constraints in Amazon RDS

Master user name constraints differ for each database engine.

MySQL and Amazon Aurora

• Must contain 1 to 16 alphanumeric characters.

• First character must be a letter.

• Cannot be a word reserved by the database engine.

Oracle

• Must contain 1 to 30 alphanumeric characters.

• First character must be a letter.

• Cannot be a word reserved by the database engine.

SQL Server

• Must contain 1 to 64 alphanumeric characters.

• First character must be a letter.

• Cannot be a word reserved by the database engine.

PostgreSQL

• Must contain 1 to 63 alphanumeric characters.

• First character must be a letter.

• Cannot be a word reserved by the database engine.

MariaDB

• Must contain 1 to 16 alphanumeric characters.

• Cannot be a word reserved by the database engine.

Master password The password for the master database user can be any printable ASCII character except "/", """, or "@". Master password constraints differ for each database engine.

MySQL, Amazon Aurora, and MariaDB

• Must contain 8 to 41 characters.

Oracle

• Must contain 8 to 30 characters.

SQL Server

• Must contain 8 to 128 characters.

PostgreSQL

• Must contain 8 to 128 characters .

API Version 2014-10-31

172

Amazon Relational Database Service User Guide

File Size Limits in Amazon RDS

DB parameter group name • Must contain from 1 to 255 alphanumeric characters.

• First character must be a letter.

• Cannot end with a hyphen or contain two consecutive hyphens.

File Size Limits in Amazon RDS

Aurora File Size Limits in Amazon RDS

With Amazon Aurora, the table size limit is only constrained by the size of the Aurora cluster volume, which has a maximum of 64 terabytes (TB). As a result, the maximum table size for a table in an Aurora database is 64 TB.

MySQL File Size Limits in Amazon RDS

With MySQL, this file size limit constrains each table to a maximum size of 2 TB when using InnoDB file-per-table tablespaces. This limit also constrains the system tablespace to a maximum size of 2 TB.

File-per-table tablespaces with tables each in their own tablespace is set by default in MySQL version

5.6.6 and later. You must enable InnoDB file-per-table tablespaces for MySQL versions 5.1 and 5.5.

There are advantages and disadvantages to using InnoDB file-per-table tablespaces, depending on your application. To determine the best approach for your application, go to InnoDB File-Per-Table Mode in the MySQL documentation.

We don't recommend allowing tables to grow to 2 TB. In general, a better practice is to partition data into smaller tables, which can improve performance and recovery times.

One option that you can use for breaking a large table up into smaller tables is partitioning. Partitioning distributes portions of your large table into separate files based on rules that you specify. For example, if you store transactions by date, you can create partitioning rules that distribute older transactions into separate files using partitioning. Then periodically, you can archive the historical transaction data that doesn't need to be readily available to your application. For more information, go to https://dev.mysql.com/ doc/refman/5.6/en/partitioning.html

in the MySQL documentation.

To determine the file size of a table

Use the following SQL command to determine if any of your tables are too large and are candidates for partitioning.

SELECT TABLE_SCHEMA, TABLE_NAME,

round(((DATA_LENGTH + INDEX_LENGTH) / 1024 / 1024), 2) As "Approximate size (MB)"

FROM information_schema.TABLES

WHERE TABLE_SCHEMA NOT IN ('mysql', 'information_schema', 'performance_schema');

To enable InnoDB file-per-table tablespaces

• To enable InnoDB file-per-table tablespaces, set the innodb_file_per_table parameter to

1

in the parameter group for the DB instance.

API Version 2014-10-31

173

Amazon Relational Database Service User Guide

MySQL File Size Limits in Amazon RDS

To disable InnoDB file-per-table tablespaces

• To disable InnoDB file-per-table tablespaces, set the innodb_file_per_table parameter to

0

in the parameter group for the DB instance.

For information on updating a parameter group, see

Working with DB Parameter Groups (p. 724)

.

When you have enabled or disabled InnoDB file-per-table tablespaces, you can issue an

ALTER TABLE command to move a table from the global tablespace to its own tablespace, or from its own tablespace to the global tablespace as shown in the following example:

ALTER TABLE table_name ENGINE=InnoDB, ALGORITHM=COPY;

API Version 2014-10-31

174

Amazon Relational Database Service User Guide

MySQL on Amazon RDS

Amazon RDS supports DB instances running several versions of MySQL. You first use the Amazon RDS management tools or interfaces to create an Amazon RDS MySQL DB instance. You can then use the

Amazon RDS tools to perform management actions for the DB instance, such as reconfiguring or resizing the DB instance, authorizing connections to the DB instance, creating and restoring from backups or snapshots, creating Multi-AZ secondaries, creating Read Replicas, and monitoring the performance of the DB instance. You use standard MySQL utilities and applications to store and access the data in the

DB instance.

These are the common management tasks you perform with an Amazon RDS MySQL DB instance, with links to information about each task:

• For planning information, such as MySQL versions, storage engines, security, and features supported

in Amazon RDS, see MySQL on Amazon RDS Planning Information (p. 176)

.

• Before creating a DB instance, you should complete the steps in the

Setting Up for Amazon RDS (p. 7)

section of this guide.

• You can create an Amazon RDS MySQL DB instance after you have met prerequisites, such as creating

security groups, DB parameter groups, or DB option groups. For information, see Creating a DB Instance

Running the MySQL Database Engine (p. 188) .

• After creating the security group and DB instance, you can connect to the DB instance from MySQL

applications and utilities. For information, see Connecting to a DB Instance Running the MySQL

Database Engine (p. 197) .

• A newly created Amazon RDS DB instance has one empty database with the name you specified when you created the DB instance, and one master user account with the name and password you specified.

You must use a MySQL tool or utility to log in as the master user, and then use MySQL commands and SQL statements to add all of the users and elements required for your applications to store and retrieve data in the DB instance, such as:

• Create all user IDs and grant them the appropriate permissions. For information, go to MySQL User

Account Management in the MySQL documentation.

• Create any required databases and objects such as tables and views. For information, go to Data

Definition Statements in the MySQL documentation.

• Establish procedures for importing or exporting data. For information on some recommended

procedures, see Importing and Exporting Data From a MySQL DB Instance (p. 205) .

• You might need to periodically change your DB instance, such as to resize or reconfigure the DB

instance. For information, see Modifying a DB Instance Running the MySQL Database Engine (p. 200)

.

For additional information on specific tasks, see:

Renaming a DB Instance (p. 633)

API Version 2014-10-31

175

Amazon Relational Database Service User Guide

MySQL Planning Information

Deleting a DB Instance (p. 635)

Rebooting a DB Instance (p. 639)

Tagging Amazon RDS Resources (p. 664)

DB Instance Upgrades and Maintenance (p. 613)

Adjusting the Preferred Maintenance Window (p. 616)

• You can configure your DB instance to take automated backups, or take manual snapshots, and then

restore instances from the backups or snapshots. For information, see Backing Up and Restoring (p. 673)

.

• You can monitor an instance through actions such as viewing the MySQL logs, CloudWatch Amazon

RDS metrics, and events. For information, see Monitoring Amazon RDS (p. 766)

.

• You can offload read traffic from your primary MySQL DB instance by creating Read Replicas. For information, see

Working with PostgreSQL, MySQL, and MariaDB Read Replicas (p. 649)

.

• There are several Amazon RDS features you can use with MySQL DB instances that are common across the Amazon RDS database engines. For information, see:

Working with Reserved DB Instances (p. 754)

Amazon RDS Provisioned IOPS Storage to Improve Performance (p. 125)

There are also several appendices with useful information about working with Amazon RDS MySQL DB instances:

Appendix: Common DBA Tasks for MySQL (p. 233)

Appendix: Options for MySQL Database Engine (p. 237)

Appendix: MySQL on Amazon RDS SQL Reference (p. 243)

MySQL on Amazon RDS Planning Information

Topics

MySQL on Amazon RDS Versions (p. 176)

Amazon RDS Supported Storage Engines (p. 178)

Amazon RDS and MySQL Security (p. 179)

Local Time Zone for MySQL DB Instances (p. 180)

InnoDB Cache Warming (p. 182)

MySQL Features Not Supported By Amazon RDS (p. 183)

Known Issues and Limitations (p. 183)

MySQL on Amazon RDS Versions

Amazon RDS currently supports MySQL versions 5.7, 5.6, 5.5, and 5.1. Over time, we plan to support additional MySQL versions for Amazon RDS. The number of new version releases supported in a given year will vary based on the frequency and content of the MySQL version releases and the outcome of a thorough vetting of the release by our database engineering team. However, as a general guidance, we aim to support new MySQL versions within 3 to 5 months of their General Availability release.

MySQL, version numbers are organized as version = X.Y.Z. In Amazon RDS terminology, X.Y denotes the major version, and Z is the minor version number. For Amazon RDS implementations, a version change is considered major if the major version number changes—for example, going from version 5.1.71

to 5.5.33. A version change is considered minor if only the minor version number changes—for example, going from version 5.5.31 to 5.5.33.

API Version 2014-10-31

176

Amazon Relational Database Service User Guide

MySQL Versions

You can specify any currently supported MySQL version when creating a new DB instance. You can specify the MySQL 5.7, 5.6, 5.5, or 5.1 major versions, and any supported minor version for the specified major version. If no version is specified, Amazon RDS will default to a supported version, typically the most recent version. If a major version (for example, MySQL 5.7) is specified but a minor version is not,

Amazon RDS will default to a recent release of the major version you have specified. To see a list of supported versions, as well as defaults for newly created DB instances, use the DescribeDBEngineVersions

API action.

With Amazon RDS, you control when to upgrade your MySQL instance to a new version supported by

Amazon RDS. You can maintain compatibility with specific MySQL versions, test new versions with your application before deploying in production, and perform version upgrades at times that best fit your schedule.

Unless you specify otherwise, your DB instance will automatically be upgraded to new MySQL minor versions as they are supported by Amazon RDS. This patching will occur during your scheduled maintenance window, and it will be announced on the Amazon RDS Community Forum in advance. To turn off automatic version upgrades, set the AutoMinorVersionUpgrade parameter to “false.”

If you opt out of automatically scheduled upgrades, you can manually upgrade to a supported minor version release by following the same procedure as you would for a major version update. For information,

see DB Instance Upgrades and Maintenance (p. 613)

.

Amazon RDS currently supports the major version upgrades from MySQL version 5.5 to version 5.6 and

MySQL version 5.6 to version 5.7. Because major version upgrades involve some compatibility risk, they do not occur automatically; you must make a request to modify the DB instance. You should thoroughly test any upgrade before upgrading your production instances. For information about upgrading a DB instance, see

DB Instance Upgrades and Maintenance (p. 613)

.

You can test a DB instance against a new version before upgrading by creating a DB snapshot of your existing DB instance, restoring from the DB snapshot to create a new DB instance, and then initiating a version upgrade for the new DB instance. You can then experiment safely on the upgraded clone of your

DB instance before deciding whether or not to upgrade your original DB instance.

The Amazon RDS deprecation policy for MySQL includes the following:

• We intend to support major MySQL version releases, including MySQL 5.5, for 3 years after they are initially supported by Amazon RDS.

• We intend to support minor MySQL version releases (for example, MySQL 5.5.46) for at least 1 year after they are initially supported by Amazon RDS.

• After a MySQL major or minor version has been “deprecated,” we expect to provide a three month grace period for you to initiate an upgrade to a supported version prior to an automatic upgrade being applied during your scheduled maintenance window.

MySQL 5.1 Deprecation

On August 24, 2016, Amazon RDS is retiring support for MySQL version 5.1. In December 2013, MySQL

Community Edition 5.1 was moved to sustaining support with no new software or security fixes or updates.

To provide the best experience for AWS customers, we are retiring version 5.1.

We recommend that before July 29, 2016, you upgrade any DB instances that are running MySQL version

5.1 to one of the supported MySQL versions. Amazon RDS supports MySQL versions 5.5, 5.6, and 5.7.

You might want to create a DB instance running a supported version of the MySQL database engine and test your application with that DB instance before upgrading your DB instance running MySQL version

5.1.

API Version 2014-10-31

177

Amazon Relational Database Service User Guide

Amazon RDS Supported Storage Engines

To create a test version of your DB instance running a newer version of MySQL

1.

Take a snapshot of your MySQL 5.1 DB instance. For more information, see

Creating a DB

Snapshot (p. 678) .

2.

Restore the snapshot to a new DB instance. For more information, see

Restoring From a DB

Snapshot (p. 680) .

3.

Upgrade the new DB instance to a supported version of MySQL. For more information, see Upgrading the MySQL DB Engine (p. 622) .

You can review the release notes for each supported version of MySQL at the following sites:

• MySQL 5.5 Release Notes

• MySQL 5.6 Release Notes

• MySQL 5.7 Release Notes

If you want to upgrade your DB instance to MySQL version 5.6, you must first upgrade your DB instance to MySQL version 5.5, and then upgrade the DB instance to MySQL version 5.6. If you want to upgrade your DB instance to MySQL version 5.7, you must first upgrade your DB instance to MySQL version 5.5, and then upgrade to version 5.6, and then upgrade to version 5.7.

For information and instructions on upgrading a DB instance to a new version of MySQL, see

Upgrading the MySQL DB Engine (p. 622) .

Amazon RDS will retire MySQL version 5.1 support according to the following schedule:

• After July 29, 2016, you will no longer be able to create DB instances that use MySQL version 5.1.

Also, if you restore a DB instance from a MySQL version 5.1 snapshot the restored DB instance will be immediately upgraded to a version 5.5 instance. We recommend that you delete database snapshots that you no longer need.

• Beginning on August 15, 2016, MySQL DB instances running version 5.1 will automatically be scheduled for an upgrade to version 5.5 during the next maintenance window.

• On August 24, 2016, any DB instance running MySQL version 5.1 will be immediately upgraded to version 5.5.

Using the memcached Option with MySQL

Most Amazon RDS DB engines support option groups that allow you to select additional features for your

DB instance. DB instances on MySQL version 5.6 and later support the memcached

option, a simple, key-based cache. For more information about the memcached

option, see Appendix: Options for MySQL

Database Engine (p. 237)

. For more information about working with option groups, see Working with Option

Groups (p. 702)

.

Amazon RDS Supported Storage Engines

While MySQL supports multiple storage engines with varying capabilities, not all of them are optimized for recovery and data durability. Amazon RDS fully supports the InnoDB storage engine for MySQL DB instances. Amazon RDS features such as Point-In-Time restore and snapshot restore require a recoverable storage engine and are supported for the InnoDB storage engine only. You must be running an instance of MySQL 5.6 or later to use the InnoDB memcached

interface. For more information, see

MySQL memcached Support (p. 237) .

The Federated Storage Engine is currently not supported by Amazon RDS for MySQL.

API Version 2014-10-31

178

Amazon Relational Database Service User Guide

Amazon RDS and MySQL Security

The MyISAM storage engine does not support reliable recovery and can result in lost or corrupt data when MySQL is restarted after a recovery, preventing Point-In-Time restore or snapshot restore from working as intended. However, if you still choose to use MyISAM with Amazon RDS, snapshots can be helpful under some conditions. For more information on MyISAM restrictions, see

Automated Backups with Unsupported MySQL Storage Engines (p. 117) .

If you want to convert existing MyISAM tables to InnoDB tables, you can use the alter table command

(for example, alter table TABLE_NAME engine=innodb;). Bear in mind that MyISAM and InnoDB have different strengths and weaknesses, so you should fully evaluate the impact of making this switch on your applications before doing so.

Amazon RDS and MySQL Security

Security for Amazon RDS MySQL DB instances is managed at three levels:

• AWS Identity and Access Management controls who can perform Amazon RDS management actions on DB instances. When you connect to AWS using IAM credentials, your IAM account must have IAM policies that grant the permissions required to perform Amazon RDS management operations. For

more information, see Authentication and Access Control for Amazon RDS (p. 131)

.

• When you create a DB instance, you use either a VPC security group or a DB security group to control which devices and Amazon EC2 instances can open connections to the endpoint and port of the DB instance. These connections can be made using SSL. In addition, firewall rules at your company can control whether devices running at your company can open connections to the DB instance.

• Once a connection has been opened to a MySQL DB instance, authentication of the login and permissions are applied the same way as in a stand-alone instance of MySQL. Commands such as

CREATE USER

,

RENAME USER

,

GRANT

,

REVOKE

, and

SET PASSWORD

work just as they do in stand-alone databases, as does directly modifying database schema tables. For information, go to MySQL User

Account Management in the MySQL documentation.

When you create an Amazon RDS DB instance, the master user has the following default privileges:

• alter

• alter routine

• create

• create routine

• create temporary tables

• create user

• create view

• delete

• drop

• event

• execute

• grant option

• index

• insert

• lock tables

• process

• references

• replication client

• replication slave (MySQL 5.6 and later)

• select

API Version 2014-10-31

179

Amazon Relational Database Service User Guide

Local Time Zone for MySQL DB Instances

• show databases

• show view

• trigger

• update

Note

Although it is possible to delete the master user on the DB instance, it is not recommended. To recreate the master user, use the

ModifyDBInstance

RDS API action or the modify-db-instance

AWS CLI tool and specify a new master user password with the appropriate parameter. If the master user does not exist in the instance, the master user will be created with the specified password.

To provide management services for each DB instance, the rdsadmin

user is created when the DB instance is created. Attempting to drop, rename, change the password, or change privileges for the rdsadmin

account will result in an error.

To allow management of the DB instance, the standard kill

and kill_query

commands have been restricted. The Amazon RDS commands rds_kill

and rds_kill_query

are provided to allow you to terminate user sessions or queries on DB instances.

Using SSL with a MySQL DB Instance

Amazon RDS supports SSL connections with DB instances running the MySQL database engine.

Note

Amazon Aurora is compatible with MySQL. However, you use a different SSL certificate to connect to an Amazon Aurora DB cluster. For information on connecting to Amazon Aurora using

SSL, see

Securing Aurora Data with SSL (p. 500) .

Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon

RDS provisions the instance. These certificates are signed by a certificate authority. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks. The public key is stored at http://s3.amazonaws.com/rds-downloads/ rds-combined-ca-bundle.pem

.

To encrypt connections using the default mysql client, launch the mysql client using the

--ssl-ca parameter

to reference the public key, for example: mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com

--ssl-ca=

[full path]

rds-combined-ca-bundle.pem --ssl-verify-server-cert

You can use the GRANT statement to require SSL connections for specific users accounts. For example, you can use the following statement to require SSL connections on the user account encrypted_user:

GRANT USAGE ON *.* TO 'encrypted_user'@'%' REQUIRE SSL

Note

For more information on SSL connections with MySQL, go to the MySQL documentation .

Local Time Zone for MySQL DB Instances

By default, the time zone for an RDS MySQL DB instance is Universal Time Coordinated (UTC). You can set the time zone for your DB instance to the local time zone for your application instead.

API Version 2014-10-31

180

Amazon Relational Database Service User Guide

Local Time Zone for MySQL DB Instances

To set the local time zone for a DB instance, set the time_zone

parameter in the parameter group for your DB instance to one of the supported values listed later in this section. When you set the time_zone parameter for a parameter group, all DB instances and Read Replicas that are using that parameter group change to use the new local time zone. For information on setting parameters in a parameter group, see

Working with DB Parameter Groups (p. 724) .

After you set the local time zone, all new connections to the database reflect the change. If you have any open connections to your database when you change the local time zone, you won't see the local time zone update until after you close the connection and open a new connection.

You can set a different local time zone for a DB instance and one or more of its Read Replicas. To do this, use a different parameter group for the DB instance and the replica or replicas and set the time_zone parameter in each parameter group to a different local time zone.

If you are replicating across regions, then the replication master DB instance and the Read Replica use different parameter groups (parameter groups are unique to a region). To use the same local time zone for each instance, you must set the time_zone

parameter in the instance's and Read Replica's parameter groups.

When you restore a DB instance from a DB snapshot, the local time zone is set to UTC. You can update the time zone to your local time zone after the restore is complete. If you restore a DB instance to a point in time, then the local time zone for the restored DB instance is the time zone setting from the parameter group of the restored DB instance.

Local time zone is supported for MySQL versions 5.5, 5.6, and 5.7 only.

You can set your local time zone to one of the following values.

Africa/Cairo

Africa/Casablanca

Africa/Harare

Africa/Monrovia

Africa/Nairobi

Africa/Tripoli

Africa/Windhoek

America/Araguaina

America/Asuncion

America/Bogota

America/Caracas

America/Chihuahua

America/Cuiaba

America/Denver

America/Fortaleza

America/Guatemala

America/Halifax

Asia/Bangkok

Asia/Beirut

Asia/Calcutta

Asia/Damascus

Asia/Dhaka

Asia/Irkutsk

Asia/Jerusalem

Asia/Kabul

Asia/Karachi

Asia/Kathmandu

Asia/Krasnoyarsk

Asia/Magadan

Asia/Muscat

Asia/Novosibirsk

Asia/Riyadh

Asia/Seoul

Asia/Shanghai

Australia/Darwin

Australia/Hobart

Australia/Perth

Australia/Sydney

Brazil/East

Canada/Newfoundland

Canada/Saskatchewan

Europe/Amsterdam

Europe/Athens

Europe/Dublin

Europe/Helsinki

Europe/Istanbul

Europe/Kaliningrad

Europe/Moscow

Europe/Paris

Europe/Prague

Europe/Sarajevo

API Version 2014-10-31

181

Amazon Relational Database Service User Guide

InnoDB Cache Warming

America/Manaus

America/Matamoros

America/Monterrey

America/Montevideo

America/Phoenix

America/Santiago

America/Tijuana

Asia/Amman

Asia/Ashgabat

Asia/Baghdad

Asia/Baku

Asia/Singapore

Asia/Taipei

Asia/Tehran

Asia/Tokyo

Asia/Ulaanbaatar

Asia/Vladivostok

Asia/Yakutsk

Asia/Yerevan

Atlantic/Azores

Australia/Adelaide

Australia/Brisbane

Pacific/Auckland

Pacific/Fiji

Pacific/Guam

Pacific/Honolulu

Pacific/Samoa

US/Alaska

US/Central

US/Eastern

US/East-Indiana

US/Pacific

UTC

InnoDB Cache Warming

InnoDB cache warming can provide performance gains for your MySQL DB instance by saving the current state of the buffer pool when the DB instance is shut down, and then reloading the buffer pool from the saved information when the DB instance starts up. This bypasses the need for the buffer pool to "warm up" from normal database use and instead preloads the buffer pool with the pages for known common queries. The file that stores the saved buffer pool information only stores metadata for the pages that are in the buffer pool, and not the pages themselves. As a result, the file does not require much storage space. The file size is about 0.2 percent of the cache size. For example, for a 64 GB cache, the cache warming file size is 128 MB. For more information on InnoDB cache warming, go to Preloading the InnoDB

Buffer Pool for Faster Restart in the MySQL documentation.

MySQL on Amazon RDS supports InnoDB cache warming for MySQL version 5.6 and later. To enable

InnoDB cache warming, set the innodb_buffer_pool_dump_at_shutdown

and innodb_buffer_pool_load_at_startup

parameters to 1 in the parameter group for your DB instance.

Changing these parameter values in a parameter group will affect all MySQL DB instances that use that parameter group. To enable InnoDB cache warming for specific MySQL DB instances, you might need to create a new parameter group for those instances. For information on parameter groups, see

Working with DB Parameter Groups (p. 724)

.

InnoDB cache warming primarily provides a performance benefit for DB instances that use standard storage. If you use PIOPS storage, you do not commonly see a significant performance benefit.

Important

If your MySQL DB instance does not shut down normally, such as during a failover, then the buffer pool state will not be saved to disk. In this case, MySQL loads whatever buffer pool file is available when the DB instance is restarted. No harm is done, but the restored buffer pool might not reflect the most recent state of the buffer pool prior to the restart. To ensure that you have a recent state of the buffer pool available to warm the InnoDB cache on startup, we recommend that you periodically dump the buffer pool "on demand." You can dump or load the buffer pool on demand if your DB instance is running MySQL version 5.6.19 or later.

You can create an event to dump the buffer pool automatically and on a regular interval. For example, the following statement creates an event named periodic_buffer_pool_dump

that dumps the buffer pool every hour.

API Version 2014-10-31

182

Amazon Relational Database Service User Guide

MySQL Features Not Supported By Amazon RDS

CREATE EVENT periodic_buffer_pool_dump

ON SCHEDULE EVERY 1 HOUR

DO CALL mysql.rds_innodb_buffer_pool_dump_now();

For more information on MySQL events, see Event Syntax in the MySQL documentation.

Dumping and Loading the Buffer Pool on Demand

For MySQL version 5.6.19 and later, you can save and load the InnoDB cache "on demand."

• To dump the current state of the buffer pool to disk, call the

mysql.rds_innodb_buffer_pool_dump_now (p. 250) stored procedure.

• To load the saved state of the buffer pool from disk, call the

mysql.rds_innodb_buffer_pool_load_now (p. 251)

stored procedure.

• To cancel a load operation in progress, call the mysql.rds_innodb_buffer_pool_load_abort (p. 251)

stored procedure.

MySQL Features Not Supported By Amazon RDS

Amazon RDS currently does not support the following MySQL features:

• Global Transaction IDs

• Transportable Table Space

• Authentication Plugin

• Password Strength Plugin

• Replication Filters

• Semi-synchronous Replication

In order to deliver a managed service experience, Amazon RDS does not provide shell access to DB instances, and it restricts access to certain system procedures and tables that require advanced privileges.

Amazon RDS supports access to databases on a DB instance using any standard SQL client application.

Amazon RDS does not allow direct host access to a DB instance via Telnet, Secure Shell (SSH), or

Windows Remote Desktop Connection. When you create a DB instance, you are assigned to the db_owner role for all databases on that instance, and you will have all database-level permissions except for those used for backups (Amazon RDS manages backups for you).

Known Issues and Limitations

Known issues and limitations are as follows.

Inconsistent InnoDB Buffer Pool Size

For MySQL 5.7, there is currently a bug in the way that the InnoDB buffer pool size is managed. MySQL

5.7 might adjust the value of the innodb_buffer_pool_size

parameter to a large value that can result in the InnoDB buffer pool growing too large and using up too much memory. This effect can cause the

MySQL database engine to stop running or can prevent the MySQL database engine from starting. This issue is more common for DB instance classes that have less memory available.

To resolve this issue, set the value of the innodb_buffer_pool_size

parameter to a multiple of the product of the innodb_buffer_pool_instances

parameter value and the innodb_buffer_pool_chunk_size

parameter value. For example, you might set the innodb_buffer_pool_size

parameter value to a multiple of eight times the product of the

API Version 2014-10-31

183

Amazon Relational Database Service User Guide

Known Issues and Limitations

innodb_buffer_pool_instances

and innodb_buffer_pool_chunk_size

parameter values, as shown in the following example.

innodb_buffer_pool_chunk_size = 536870912 innodb_buffer_pool_instances = 4 innodb_buffer_pool_size = (536870912 * 4) * 8 = 17179869184

For details on this MySQL 5.7 bug, go to https://bugs.mysql.com/bug.php?id=79379 in the MySQL documentation.

Memcached Recommended MySQL Version

We recommend that you only use the memcached

interface with MySQL version 5.6.21b or later. We do so because there are a number of bug fixes related to the memcached

interface that are included in the

MySQL engine starting with version 5.6.21b. For more information, go to Changes in MySQL 5.6.20

(2014-07-31) and Changes in MySQL 5.6.21 (2014-09-23) in the MySQL documentation.

For more information on using memcached

with MySQL on Amazon RDS, see MySQL memcached

Support (p. 237) .

MySQL Version 5.5.40 Asynchronous I/O Is Disabled

You might observe reduced I/O performance if you have a MySQL DB instance that was created before

April 23, 2014, and then upgraded to MySQL version 5.5.40 after October 17, 2014. This reduced performance can be caused by an error that disables the innodb_use_native_aio

parameter even if the corresponding DB parameter group enables the innodb_use_native_aio

parameter.

To resolve this error, we recommend that you upgrade your MySQL DB instance running version 5.5.40

to version 5.5.40a, which corrects this behavior. For information on minor version upgrades, see Upgrading the MySQL DB Engine (p. 622) .

For more information on MySQL asynchronous I/O, go to Asynchronous I/O on Linux in the MySQL documentation.

Index Merge Optimization Returns Wrong Results

Queries that use index merge optimization might return wrong results due to a bug in the MySQL query optimizer that was introduced in MySQL 5.5.37. When you issue a query against a table with multiple indexes the optimizer scans ranges of rows based on the multiple indexes, but does not merge the results together correctly. For more information on the query optimizer bug, go to http://bugs.mysql.com/ bug.php?id=72745 and http://bugs.mysql.com/bug.php?id=68194 in the MySQL bug database.

For example, consider a query on a table with two indexes where the search arguments reference the indexed columns.

SELECT * FROM table1

WHERE indexed_col1 = 'value1' AND indexed_col2 = 'value2';

In this case, the search engine will search both indexes. However, due to the bug, the merged results will be incorrect.

To resolve this issue, you can do one of the following:

API Version 2014-10-31

184

Amazon Relational Database Service User Guide

Known Issues and Limitations

• Set the optimizer_switch

parameter to index_merge=off

in the DB parameter group for your

MySQL DB instance. For information on setting DB parameter group parameters, see Working with

DB Parameter Groups (p. 724) .

• Upgrade your MySQL DB instance to MySQL version 5.6.19a. For information on major version upgrades, see

DB Instance Upgrades and Maintenance (p. 613)

.

• If you cannot upgrade your instance or change the optimizer_switch

parameter, you can work around the bug by explicitly identifying an index for the query, for example:

SELECT * FROM table1

USE INDEX covering_index

WHERE indexed_col1 = 'value1' AND indexed_col2 = 'value2';

For more information, go to Index Merge Optimization .

Replication Fails After Upgrading to MySQL Version 5.6.21

If you have a DB instance that runs a version prior to version 5.6.4, or if the DB instance was upgraded from a version prior to version 5.6.4, you can receive the following error if you have a Read Replica that runs MySQL version 5.6.21.

mysqld got signal 11 ;

This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware.

We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail.

MySQL version 5.6.4 introduced a new date and time format for datetime

, time

, and timestamp columns that allows fractional components in date and time values. The error is caused by a mismatch in date and time formats between the master and the replica, and results in a failure when row-based logging attempts to replay an operation from the master DB instance to the replica DB instance. You might also see a number of related row-based logging messages in your MySQL error log, for example:

Relay_log_info

,

Rows_log_event

, and so on. For information on the new date and time format for

MySQL, go to Upgrading from MySQL 5.5 to 5.6

in the MySQL documentation.

To resolve the error, you can do either of the following:

• Upgrade your Read Replica to MySQL version 5.6.23 or later. For information on upgrading a MySQL

DB instance on Amazon RDS to version 5.6, see

Upgrading Database Versions for a DB Instance (p. 621)

.

• Upgrade your master DB instance to MySQL version 5.6.12 or later and update the format of the affected date and time columns. For information on upgrading a MySQL DB instance on Amazon RDS to version

5.6, see

Upgrading Database Versions for a DB Instance (p. 621) .

To upgrade your date and time columns to the new format on your master DB instance, you must issue the

ALTER TABLE

<table_name>

FORCE;

command.

Note

Because altering a table locks the table as read-only, we recommend that you perform this update during a maintenance window.

You can run the following query to find all of the tables in your database that have columns of type datetime

, time

, or timestamp

and create an

ALTER TABLE

<table_name>

FORCE;

command for each table.

API Version 2014-10-31

185

Amazon Relational Database Service User Guide

Known Issues and Limitations

SELECT DISTINCT CONCAT('ALTER TABLE `',

REPLACE(is_tables.TABLE_SCHEMA, '`', '``'), '`.`',

REPLACE(is_tables.TABLE_NAME, '`', '``'), '` FORCE;')

FROM information_schema.TABLES is_tables

INNER JOIN information_schema.COLUMNS col ON col.TABLE_SCHEMA = is_tables.TABLE_SCHEMA

AND col.TABLE_NAME = is_tables.TABLE_NAME

LEFT OUTER JOIN information_schema.INNODB_SYS_TABLES systables ON

SUBSTRING_INDEX(systables.NAME, '#', 1) = CON

CAT(is_tables.TABLE_SCHEMA,'/',is_tables.TABLE_NAME)

LEFT OUTER JOIN information_schema.INNODB_SYS_COLUMNS syscolumns ON

syscolumns.TABLE_ID = systables.TABLE_ID AND syscolumns.NAME = col.COLUMN_NAME

WHERE col.COLUMN_TYPE IN ('time','timestamp','datetime')

AND is_tables.TABLE_TYPE = 'BASE TABLE'

AND is_tables.TABLE_SCHEMA NOT IN ('mysql','information_schema','perform ance_schema')

AND (is_tables.ENGINE = 'InnoDB' AND syscolumns.MTYPE = 6);

Log File Size

For MySQL version 5.6.20 and later, there is a size limit on BLOBs written to the redo log. To account for this limit, ensure that the innodb_log_file_size

parameter for your MySQL DB instance is 10 times larger than the largest BLOB data size found in your tables, plus the length of other variable length fields (

VARCHAR

,

VARBINARY

,

TEXT

) in the same tables. For information on how to set parameter values,

see Working with DB Parameter Groups (p. 724) . For information on the redo log BLOB size limit, go to

Changes in MySQL 5.6.20

.

MySQL Parameter Exceptions for Amazon RDS DB Instances

Some MySQL parameters require special considerations when used with an Amazon RDS DB instance.

lower_case_table_names

Because Amazon RDS uses a case-sensitive file system, setting the value of the lower_case_table_names

server parameter to 2 ("names stored as given but compared in lowercase") is not supported. Supported values for Amazon RDS DB instances are 0 ("names stored as given and comparisons are case-sensitive"), which is the default, or 1 ("names stored in lowercase and comparisons are not case-sensitive").

The lower_case_table_names

parameter should be set as part of a custom DB parameter group before creating a DB instance. You should avoid changing the lower_case_table_names parameter for existing database instances because doing so could cause inconsistencies with point-in-time recovery backups and Read Replica DB instances.

Read Replicas should always use the same lower_case_table_names parameter value as the master

DB instance.

long_query_time

You can set the long_query_time

parameter to a floating point value which allows you to log slow queries to the MySQL slow query log with microsecond resolution. You can set a value such as 0.1

seconds, which would be 100 milliseconds, to help when debugging slow transactions that take less than one second.

API Version 2014-10-31

186

Amazon Relational Database Service User Guide

Known Issues and Limitations

MySQL File Size Limits

Amazon RDS instances can support files with a maximum size of 2 TB due to underlying file system constraints.

With MySQL, this file size limit constrains each table to a maximum size of 2 TB when using InnoDB file-per-table tablespaces. This limit also constrains the system tablespace to a maximum size of 2 TB.

File-per-table tablespaces with tables each in their own tablespace is set by default in MySQL version

5.6.6 and later. You must enable InnoDB file-per-table tablespaces for MySQL versions 5.1 and 5.5.

There are advantages and disadvantages to using InnoDB file-per-table tablespaces, depending on your application. To determine the best approach for your application, go to InnoDB File-Per-Table Mode in the MySQL documentation.

We don't recommend allowing tables to grow to 2 TB. In general, abetter practice is to partition data into smaller tables, which can improve performance and recovery times.

One option that you can use for breaking a large table up into smaller tables is partitioning. Partitioning distributes portions of your large table into separate files based on rules that you specify. For example, if you store transactions by date, you can create partitioning rules that distribute older transactions into separate files using partitioning. Then periodically, you can archive the historical transaction data that doesn't need to be readily available to your application. For more information, go to https://dev.mysql.com/ doc/refman/5.6/en/partitioning.html

in the MySQL documentation.

To determine the file size of a table

Use the following SQL command to determine if any of your tables are too large and are candidates for partitioning.

SELECT TABLE_SCHEMA, TABLE_NAME,

round(((DATA_LENGTH + INDEX_LENGTH) / 1024 / 1024), 2) As "Approximate size (MB)"

FROM information_schema.TABLES

WHERE TABLE_SCHEMA NOT IN ('mysql', 'information_schema', 'performance_schema');

To enable InnoDB file-per-table tablespaces

• To enable InnoDB file-per-table tablespaces, set the innodb_file_per_table parameter to

1

in the parameter group for the DB instance.

To disable InnoDB file-per-table tablespaces

• To disable InnoDB file-per-table tablespaces, set the innodb_file_per_table parameter to

0

in the parameter group for the DB instance.

For information on updating a parameter group, see

Working with DB Parameter Groups (p. 724)

.

When you have enabled or disabled InnoDB file-per-table tablespaces, you can issue an

ALTER TABLE command to move a table from the global tablespace to its own tablespace, or from its own tablespace to the global tablespace as shown in the following example:

ALTER TABLE table_name ENGINE=InnoDB;

API Version 2014-10-31

187

Amazon Relational Database Service User Guide

Creating a DB Instance Running MySQL

Creating a DB Instance Running the MySQL

Database Engine

The basic building block of Amazon RDS is the DB instance. The DB instance is where you create your

MySQL databases.

Important

You must complete the tasks in the

Setting Up for Amazon RDS (p. 7)

section before you can create or connect to a DB instance.

AWS Management Console

To launch a MySQL DB instance

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the top right corner of the AWS Management Console, select the region in which you want to create the DB instance.

3.

In the navigation pane, click Instances.

4.

Click Launch DB Instance to start the Launch DB Instance Wizard.

The wizard opens on the Select Engine page.

5.

In the Launch DB Instance Wizard window, click the Select button for the MySQL DB engine.

API Version 2014-10-31

188

Amazon Relational Database Service User Guide

AWS Management Console

6.

The next step asks if you are planning to use the DB instance you are creating for production. If you are, select Yes. By selecting Yes, the failover option Multi-AZ and the Provisioned IOPS storage option will be preselected in the following step. Click Next when you are finished.

7.

On the Specify DB Details page, specify your DB instance information. The following table shows settings for an example DB instance. Click Next when you are finished.

For this parameter...

License Model

DB Engine Version

DB Instance Class

Multi-AZ Deployment

Allocated Storage

Storage Type

DB Instance Identifier

Master Username

Master Password

Confirm Password

...Do this:

MySQL has only one license model. Select the default,

General-Public-License

, to use the general license agreement for MySQL.

Select the version of MySQL that you want to work with.

Note that Amazon RDS supports several versions of

MySQL.

Select a DB instance class that defines the processing and memory requirements for the DB instance. For more information about all the DB instance class options, see

DB Instance Class (p. 104) .

Determine if you want to create a standby replica of your

DB instance in another Availability Zone for failover support.

For more information about multiple Availability Zones, see

Regions and Availability Zones (p. 111)

.

Type a value to allocate storage for your database (in gigabytes). In some cases, allocating a higher amount of storage for your DB instance than the size of your database can improve I/O performance. For more information about

storage allocation, see Amazon RDS Storage

Types (p. 120) .

Select the storage type you want to use. For more inform-

ation about storage, see Storage for Amazon RDS (p. 120)

.

Type a name for the DB instance that is unique for your account in the region you selected. You may choose to add some intelligence to the name such as including the region and DB Engine you selected, for example

mysqlinstance1

.

Type a name using alphanumeric characters that you will use as the master user name to log on to your DB instance.

The default privileges granted to the master user name account include: create, drop, references, event, alter, delete, index, insert, select, update, create temporary tables, lock tables, trigger, create view, show view, alter routine, create routine, execute, create user, process, show databases, grant option.

Type a password that contains from 8 to 16 printable ASCII characters (excluding /,", and @) for your master user password.

Re-type the Master Password for confirmation.

API Version 2014-10-31

189

Amazon Relational Database Service User Guide

AWS Management Console

8.

On the Configure Advanced Settings page, provide additional information that RDS needs to launch the MySQL DB instance. The table shows settings for an example DB instance. Specify your DB instance information, then click Next Step.

API Version 2014-10-31

190

For this parameter...

VPC

DB Subnet Group

Publicly Accessible

Availability Zone

DB Security Groups

Database Name

Database Port

Option Group

Amazon Relational Database Service User Guide

AWS Management Console

DB Parameter Group

...Do this:

Select the name of the Virtual Private Cloud (VPC) that will host your MySQL DB instance. If your DB instance will not be hosted in a VPC, select Not in VPC. For more informa-

tion about VPC, see Amazon RDS and Amazon Virtual

Private Cloud (VPC) (p. 114) .

This setting depends on the platform you are on. If you are a new customer to AWS, select

default

, which will be the default DB subnet group that was created for your account. If you are creating a DB instance on the previous

E2-Classic platform and you want your DB instance in a specific VPC, select the DB subnet group you created for

that VPC. For more information about VPC, see Amazon

RDS and Amazon Virtual Private Cloud (VPC) (p. 114) .

Choose

Yes

to give the DB instance a public IP address, meaning that it will be accessible outside the VPC (the DB instance also needs to be in a public subnet in the VPC); otherwise, choose

No

, so the DB instance will only be accessible from inside the VPC. For more information about hiding DB instances from public access, see

Hiding a DB

Instance in a VPC from the Internet (p. 166) .

Determine if you want to specify a particular Availability

Zone. If you selected Yes for the Multi-AZ Deployment parameter on the previous page, you will not have any options here. For more information about Availability Zones, see

Regions and Availability Zones (p. 111) .

Select the security group you want to use with this DB instance. For more information about security groups, see

Working with DB Security Groups (p. 740)

.

Type a name for your database of 1 to 64 alpha-numeric characters. If you do not provide a name, Amazon RDS will not create a database on the DB instance you are creating.

Specify the port that applications and utilities will use to access the database. MySQL installations default to port

3306. The firewalls at some companies block connections to the default MySQL port. If your company firewall blocks the default port, choose another port for the new DB instance.

Select a parameter group. Each MySQL version has a default parameter group you can use, or you can create your own parameter group. For more information about parameter groups, see

Working with DB Parameter

Groups (p. 724) .

Select an option group. Each MySQL version has a default option group you can use, or you can create your own option group. For more information about option groups, see

Working with Option Groups (p. 702) .

API Version 2014-10-31

191

Amazon Relational Database Service User Guide

AWS Management Console

For this parameter...

Enable Encryption

Backup Retention Period

Backup Window

Enable Enhanced Monitoring

Granularity

Auto Minor Version Upgrade

Maintenance Window

...Do this:

Select

Yes

to enable encryption at rest for this DB instance.

For more information, see

Encrypting Amazon RDS Resources (p. 145) .

Select the number of days for Amazon RDS to automatically back up your DB instance. You can recover your database to any point in time during that retention period.

For more information, see

DB Instance Backups (p. 115) .

Specify the period of time during which your DB instance is backed up. During the backup window, storage I/O may be suspended while your data is being backed up and you may experience elevated latency. This I/O suspension typically lasts for the duration of the snapshot. This period of I/O suspension is shorter for Multi-AZ DB deployments, since the backup is taken from the standby, but latency can occur during the backup process. For more information, see

DB Instance Backups (p. 115)

.

Choose Yes to enable gathering metrics in real time for the operating system that your DB instance runs on. For more information, see

Enhanced Monitoring (p. 769)

.

Only available if Enable Enhanced Monitoring is set to

Yes

. Set the interval, in seconds, between when metrics are collected for your DB instance.

Select

Yes

if you want to enable your DB instance to receive minor DB Engine version upgrades automatically when they become available.

Select the weekly time range during which system maintenance can occur. For more information about the mainten-

ance window, see Adjusting the Preferred Maintenance

Window (p. 616) .

API Version 2014-10-31

192

Amazon Relational Database Service User Guide

AWS Management Console

API Version 2014-10-31

193

Amazon Relational Database Service User Guide

CLI

In addition, Federated Storage Engine is currently not supported by Amazon RDS for MySQL.

Note

The Point-In-Time-Restore and Snapshot Restore features of Amazon RDS for MySQL require a crash recoverable storage engine, and these two features are supported only for the InnoDB storage engine. While MySQL supports multiple storage engines with varying capabilities, not all of them are optimized for crash recovery and data durability. For example, the MyISAM storage engine does not support reliable crash recovery and may result in lost or corrupt data when MySQL is restarted after a crash, preventing Point-In-Time-Restore or Snapshot restore from working as intended.

If you would like to convert existing MyISAM tables to InnoDB tables, you can use the alter table command (e.g., alter table TABLE_NAME engine=innodb;). Note that MyISAM and

InnoDB have different strengths and weaknesses, so you should fully evaluate the impact of making this switch on your applications before doing so.

9.

Click Launch DB Instance to create your MySQL DB instance.

10. On the final page of the wizard, click Close.

11. On the Amazon RDS console, the new DB instance appears in the list of DB instances. The DB instance will have a status of creating until the DB instance is created and ready for use. When the state changes to available, you can connect to the DB instance. Depending on the DB instance class and store allocated, it could take several minutes for the new instance to be available.

CLI

To create a MySQL DB instance, use the AWS CLI

create-db-instance

command. The following parameters are required:

--db-instance-identifier

--db-instance-class

--engine

API Version 2014-10-31

194

Amazon Relational Database Service User Guide

API

Example

The following example creates a MySQL db instance named mydbinstance.

For Linux, OS X, or Unix: aws rds create-db-instance \

--db-instance-identifier

mydbinstance

\

--db-instance-class

db.m1.small

\

--engine

MySQL

\

--allocated-storage

20

\

--master-username

masterawsuser

\

--master-user-password

masteruserpassword

\

--backup-retention-period

3

For Windows: aws rds create-db-instance ^

--db-instance-identifier

mydbinstance

^

--db-instance-class

db.m3.medium

^

--engine

MySQL

^

--allocated-storage

20

^

--master-username

masterawsuser

^

--master-user-password

masteruserpassword

^

--backup-retention-period

3

This command should produce output similar to the following:

DBINSTANCE mydbinstance db.m3.medium mysql 20 sa creating 3 **** n

5.6.27

SECGROUP default active

PARAMGRP default.mysql5.6 in-sync

API

To create a MySQL DB instance, use the Amazon RDS API

CreateDBInstance

command. The following parameters are required:

DBInstanceIdentifier

=

mydbinstance

DBInstanceClass

=

db.m3.medium

Engine

=

mysql

API Version 2014-10-31

195

Amazon Relational Database Service User Guide

Related Topics

Example

The following example creates a MySQL db instance named mydbinstance.

https://rds.us-west-2.amazonaws.com/

?Action=CreateDBInstance

&AllocatedStorage=20

&BackupRetentionPeriod=3

&DBInstanceClass=db.m3.medium

&DBInstanceIdentifier=mydbinstance

&DBName=mydatabase

&DBSecurityGroups.member.1=mysecuritygroup

&DBSubnetGroup=mydbsubnetgroup

&Engine=mysql

&MasterUserPassword=<masteruserpassword>

&MasterUsername=<masterawsuser>

&Version=2013-09-09

&X-Amz-Algorithm=AWS4-HMAC-SHA256

&X-Amz-Credential=AKIADQKE4SARGYLE/20140213/us-west-2/rds/aws4_request

&X-Amz-Date=20140213T162136Z

&X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;xamz-date

&X-Amz-Signa ture=8052a76dfb18469393c5f0182cdab0ebc224a9c7c5c949155376c1c250fc7ec3

Related Topics

Amazon RDS DB Instances (p. 103)

DB Instance Class (p. 104)

Deleting a DB Instance (p. 635)

API Version 2014-10-31

196

Amazon Relational Database Service User Guide

Connecting to a DB Instance Running MySQL

Connecting to a DB Instance Running the

MySQL Database Engine

Once Amazon RDS provisions your DB instance, you can use any standard MySQL client application or utility to connect to the instance. In the connection string, you specify the DNS address from the DB instance endpoint as the host parameter, and specify the port number from the DB instance endpoint as the port parameter.

You can use the AWS Management Console, the AWS CLI describe-db-instances command, or the

Amazon RDS API DescribeDBInstances action to list the details of an Amazon RDS DB instance, including its endpoint. If an endpoint value is myinstance.123456789012.us-east-1.rds.amazonaws.com:3306

, then you would specify the following values in a MySQL connection string:

• For host or host name, specify myinstance.123456789012.us-east-1.rds.amazonaws.com

• For port, specify

3306

You can connect to an Amazon RDS MySQL DB instance by using tools like the MySQL command line utility. For more information on using the MySQL utility, go to mysql - The MySQL Command Line Tool in the MySQL documentation. One GUI-based application you can use to connect is MySQL Workbench.

For more information, go to the Download MySQL Workbench page.

Two common causes of connection failures to a new DB instance are:

• The DB instance was created using a security group that does not authorize connections from the device or Amazon EC2 instance where the MySQL application or utility is running. If the DB instance was created in a VPC, it must have a VPC security group that authorizes the connections. If the DB instance was created outside of a VPC, it must have a DB security group that authorizes the connections.

• The DB instance was created using the default port of 3306, and your company has firewall rules blocking connections to that port from devices in your company network. To fix this failure, recreate the instance with a different port.

You can use SSL encryption on connections to an Amazon RDS MySQL DB instance. For information,

see Using SSL with a MySQL DB Instance (p. 180)

.

For information on connecting to an Amazon Aurora DB cluster, see Connecting to an Amazon Aurora

DB Cluster (p. 521) .

For information on connecting to a MariaDB DB instance, see

Connecting to a DB Instance Running the

MariaDB Database Engine (p. 589) .

Connecting from the MySQL Utility

To connect to a DB instance using the MySQL utility, type the following command at a command prompt to connect to a DB instance using the MySQL utility. For the -h parameter, substitute the DNS name for your DB instance. For the -P parameter, substitute the port for your DB instance. Enter the master user password when prompted.

mysql -h myinstance.123456789012.us-east-1.rds.amazonaws.com -P 3306 -u mymas teruser -p

You will see output similar to the following.

API Version 2014-10-31

197

Amazon Relational Database Service User Guide

Connecting with SSL

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 350

Server version: 5.6.27-log MySQL Community Server (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

Connecting with SSL

Amazon RDS creates an SSL certificate for your DB instance when the instance is created. If you enable

SSL certificate verification, then the SSL certificate includes the DB instance endpoint as the Common

Name (CN) for the SSL certificate to guard against spoofing attacks. To connect to your DB instance using SSL, follow these steps:

To connect to a DB instance with SSL using the MySQL utility

1.

A root certificate that works for all regions can be downloaded here .

2.

Type the following command at a command prompt to connect to a DB instance with SSL using the

MySQL utility. For the -h parameter, substitute the DNS name for your DB instance. For the --ssl-ca parameter, substitute the SSL certificate file name as appropriate.

mysql -h myinstance.123456789012.us-east-1.rds.amazonaws.com --ssl-ca=rdsca-2015-root.pem

3.

Include the

--ssl-verify-server-cert

parameter so that the SSL connection verifies the DB instance endpoint against the endpoint in the SSL certificate. For example:

For Linux, OS X, or Unix: mysql \

-h myinstance.123456789012.us-east-1.rds.amazonaws.com \

--ssl-ca=rds-ca-2015-root.pem \

--ssl-verify-server-cert

For Windows: mysql ^

-h myinstance.123456789012.us-east-1.rds.amazonaws.com ^

--ssl-ca=rds-ca-2015-root.pem ^

--ssl-verify-server-cert

4.

Enter the master user password when prompted.

You will see output similar to the following.

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 350

Server version: 5.6.27-log MySQL Community Server (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

API Version 2014-10-31

198

Amazon Relational Database Service User Guide

Maximum MySQL connections

mysql>

Maximum MySQL connections

The maximum number of connections allowed to an Amazon RDS MySQL DB instance is based on the amount of memory available for the DB instance class of the DB instance. A DB instance class with more memory available will result in a larger amount of connections available. For more information on DB instance classes, see

DB Instance Class (p. 104)

.

The connection limit for a DB instance is set by default to the maximum for the DB instance class for the

DB instance.You can limit the number of concurrent connections to any value up to the maximum number of connections allowed using the max_connections

parameter in the parameter group for the DB

instance. For more information, see Working with DB Parameter Groups (p. 724) .

You can retrieve the maximum number of connections allowed for an Amazon RDS MySQL DB instance by executing the following query on your DB instance:

SELECT @@max_connections;

You can retrieve the number of active connections to an Amazon RDS MySQL DB instance by executing the following query on your DB instance:

SHOW STATUS WHERE `variable_name` = 'Threads_connected';

Related Topics

Amazon RDS DB Instances (p. 103)

Creating a DB Instance Running the MySQL Database Engine (p. 188)

Amazon RDS Security Groups (p. 149)

Deleting a DB Instance (p. 635)

API Version 2014-10-31

199

Amazon Relational Database Service User Guide

Modifying a DB Instance Running MySQL

Modifying a DB Instance Running the MySQL

Database Engine

You can change the settings of a DB instance to accomplish tasks such as adding additional storage or changing the DB instance class. This topic guides you through modifying an Amazon RDS MySQL DB instance, and describes the settings for MySQL instances. For information about additional tasks, such

as renaming, rebooting, deleting, tagging, or upgrading an Amazon RDS DB instance, see Amazon RDS

DB Instance Lifecycle (p. 611)

. We recommend that you test any changes on a test instance before modifying a production instance so you better understand the impact of a change. This is especially important when upgrading database versions.

You can have the changes apply immediately or have them applied during the DB instance's next maintenance window. Applying changes immediately can cause an outage in some cases; for more information on the impact of the Apply Immediately option when modifying a DB instance, see

Modifying a DB Instance and Using the Apply Immediately Parameter (p. 630) .

AWS Management Console

To modify a MySQL DB instance

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the navigation pane, click Instances.

3.

Select the check box for the DB instance that you want to change, click Instance Actions and then click Modify.

4.

In the Modify DB Instance dialog box, change any of the following settings that you want:

Setting

Instance Specifications

DB Engine Version

Description

DB Instance Class

Multi-AZ Deployment

Storage Type

Allocated Storage

In the list provided, click the version of the MySQL database engine that you want to use.

In the list provided, click the DB instance class that you want to use. For information about instance classes, see

DB Instance Class (p. 104)

.

If you want to deploy your DB instance in multiple Availability Zones, click Yes; otherwise, click No .

Select the storage type you want to use. Changing from

Magnetic to General Purpose (SSD) or Provisioned

IOPS (SSD) will result in an outage. Also, changing from

Provisioned IOPS (SSD) or General Purpose (SSD) to

Magnetic will result in an outage. For more information

about storage, see Storage for Amazon RDS (p. 120)

.

Specify how much storage, in gigabytes, to allocate for your DB instance. The minimum allowable value is 5 GB; the maximum is 6 TB. Note that you can only increase the amount of storage when modifying a DB instance, you cannot reduce the amount of storage allocated.

Settings

API Version 2014-10-31

200

Amazon Relational Database Service User Guide

AWS Management Console

Setting

DB Instance Identifier

New Master Password

Description

You can rename the DB instance by typing a new name.

When you change the DB instance identifier, an instance reboot will occur immediately if you set

Apply Immediately

to true, or will occur during the next maintenance window if you set

Apply Immediately

to false. This value is stored as a lowercase string.

Type a password for your master user. The password must contain from 8 to 41 alphanumeric characters. By resetting the master password, you also reset permissions for the

DB instance. For more information, see

Resetting the DB

Instance Owner Role Password (p. 836) .

Network and Security

Security Group

Certificate Authority

Publicly Accessible

Select the security group you want associated with the DB instance. For more information about security groups, see

Working with DB Security Groups (p. 740)

.

Select the certificate you want to use.

Choose

Yes

to give the DB instance a public IP address, meaning that it will be accessible outside the VPC (the DB instance also needs to be in a public subnet in the VPC); otherwise, choose

No

, so the DB instance will only be accessible from inside the VPC. For more information about hiding DB instances from public access, see

Hiding a DB

Instance in a VPC from the Internet (p. 166) .

Database Options

Parameter Group

Option Group

Copy Tags to Snapshots

Database Port

Select the parameter group you want associated with the

DB instance. Changing this setting does not result in an outage. The parameter group name itself is changed immediately, but the actual parameter changes are not applied until you reboot the instance without failover. The DB instance will NOT be rebooted automatically and the parameter changes will NOT be applied during the next maintenance window. For more information about parameter

groups, see Working with DB Parameter Groups (p. 724) .

Select the option group you want associated with the DB instance. For more information about option groups, see

Working with Option Groups (p. 702) .

Select this option to have any DB instance tags copied to a DB snapshot when you create a snapshot.

Specify a new port you want to use to access the database.

The port value must not match any of the port values specified for options in the option group for the DB instance.

Your database will restart when you change the database port regardless of whether Apply Immediately is checked.

Backup

API Version 2014-10-31

201

Amazon Relational Database Service User Guide

CLI

Setting

Backup Retention Period

Backup Window

Enable Enhanced Monitoring

Granularity

Description

Specify the number of days that automatic backups will be retained. To disable automatic backups, set this value to

0.

Note

An immediate outage will occur if you change the backup retention period from 0 to a non-zero value or from a non-zero value to 0.

Set the time range during which automated backups of your databases will occur. Specify a start time in Universal

Coordinated Time (UTC) and a duration in hours.

Choose Yes to enable gathering metrics in real time for the operating system that your DB instance runs on. For more information, see

Enhanced Monitoring (p. 769)

.

Only available if Enable Enhanced Monitoring is set to

Yes

. Set the interval, in seconds, between when metrics are collected for your DB instance.

Maintenance

Auto Minor Version Upgrade

Maintenance Window

If you want your DB instance to receive minor engine version upgrades automatically when they become available, click Yes. Upgrades are installed only during your scheduled maintenance window.

Set the time range during which system maintenance, including upgrades, will occur. Specify a start time in UTC and a duration in hours.

5.

To apply the changes immediately, select the Apply Immediately check box. Selecting this option can cause an outage in some cases; for more information on the impact of the Apply Immediately option, see

Modifying a DB Instance and Using the Apply Immediately Parameter (p. 630) .

6.

When all the changes are as you want them, click Continue. If instead you want to cancel any changes that you didn't apply in the previous step, click Cancel.

CLI

To modify a MySQL DB instance, use the AWS CLI command

modify-db-instance

.

API Version 2014-10-31

202

Amazon Relational Database Service User Guide

API

Example

The following code modifies mysqldb

by setting the backup retention period to 1 week (7 days) and disabling automatic minor version upgrades. These changes are applied during the next maintenance window.

Parameters

--db-instance-identifier

—the name of the db instance

--backup-retention-period

—the number of days to retain automatic backups.

--no-auto-minor-version-upgrade

—disallow automatic minor version upgrades. To allow automatic minor version upgrades, use

--auto-minor-version-upgrade

.

--no-apply-immediately

—apply changes during the next maintenance window. To apply changes immediately, use

--apply-immediately

.

For Linux, OS X, or Unix: aws rds modify-db-instance \

--db-instance-identifier

mysqldb

\

--backup-retention-period

7

\

--no-auto-minor-version-upgrade

\

--no-apply-immediately

For Windows: aws rds modify-db-instance ^

--db-instance-identifier

mysqldb

^

--backup-retention-period

7

^

--no-auto-minor-version-upgrade

^

--no-apply-immediately

API

To modify a MySQL DB instance, use the

ModifyDBInstance action

.

API Version 2014-10-31

203

Amazon Relational Database Service User Guide

API

Example

The following code modifies mysqldb

by setting the backup retention period to 1 week (7 days) and disabling automatic minor version upgrades. These changes are applied during the next maintenance window.

Parameters

DBInstanceIdentifier

—the name of the db instance

BackupRetentionPeriod

—the number of days to retain automatic backups.

AutoMinorVersionUpgrade

= false

—disallow automatic minor version upgrades. To allow automatic minor version upgrades, set the value to true

.

ApplyImmediately

= false

—apply changes during the next maintenance window. To apply changes immediately, set the value to true

.

https://rds.us-east-1.amazonaws.com/

?Action=ModifyDBInstance

&ApplyImmediately=false

&AutoMinorVersionUpgrade=false

&BackupRetentionPeriod=7

&DBInstanceIdentifier=mydbinstance

&SignatureMethod=HmacSHA256

&SignatureVersion=4

&Version=2013-09-09

&X-Amz-Algorithm=AWS4-HMAC-SHA256

&X-Amz-Credential=AKIADQKE4SARGYLE/20131016/us-east-1/rds/aws4_request

&X-Amz-Date=20131016T233051Z

&X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;xamz-date

&X-Amz-Signa ture=087a8eb41cb1ab0fc9ec1575f23e73757ffc6a1e42d7d2b30b9cc0be988cff97

API Version 2014-10-31

204

Amazon Relational Database Service User Guide

Importing and Exporting Data From a MySQL DB

Instance

Importing and Exporting Data From a MySQL

DB Instance

We recommend using the procedures in this section to import data into or export it from a MySQL DB instance.You can use these procedures to import data from other MySQL DB instances, MySQL instances running external to Amazon RDS, and other types of data sources. To use replication to export data to an instance of MySQL that is running external to Amazon RDS, we recommend using the procedure discussed in

Using Replication to Export MySQL Data (p. 229)

Overview

We recommend the following procedures for importing data into a MySQL DB instance in the situations described:

• To import data from an existing database in a MySQL DB instance, you can create a Read Replica, and then promote the Read Replica. For more information, see

Working with PostgreSQL, MySQL, and MariaDB Read Replicas (p. 649)

.

• To move small amounts of MySQL data, or where service interruption on the source MySQL database isn’t an issue, you can use a simple procedure to copy the data directly to your Amazon RDS MySQL

DB instance using a command-line utility. For more information, see Importing Data from a MySQL or

MariaDB DB to an Amazon RDS MySQL or MariaDB DB Instance (p. 208)

.

• To move large amounts of MySQL data, or when you want to minimize service interruption for live sites or applications that use an external MySQL instance, you can back up the data, copy it to Amazon

Elastic Compute Cloud (Amazon EC2), and import it into an Amazon RDS MySQL DB instance. You can then use replication to bring the two instances into sync for any data that has been added to the source system since the copy to Amazon EC2. For more information

Importing Data to an Amazon

RDS MySQL or MariaDB DB Instance with Reduced Downtime (p. 210)

.

• For data in sources other than an existing MySQL database, you can create flat files and import them using the mysqlimport

utility. For more information, see

Importing Data From Any Source to a MySQL or MariaDB DB Instance (p. 222) .

• To set up replication using an existing MySQL DB instance as the replication master, see

Replication with a MySQL or MariaDB Instance Running External to Amazon RDS (p. 227)

.

Note

The 'mysql' system database contains authentication and authorization information required to log into your DB instance and access your data. Dropping, altering, renaming, or truncating tables, data, or other contents of the 'mysql' database in your DB instance can result in error and may render the DB instance and your data inaccessible. If this occurs, the DB instance can be restored from a snapshot using the AWS CLI restore-db-instance-from-db-snapshot command, or recovered using the AWS CLI restore-db-instance-to-point-in-time command.

Importing Data Considerations

This section contains additional technical information related to loading data into MySQL. It is intended for advanced users who are familiar with the MySQL server architecture. Note that all comments related to LOAD DATA LOCAL INFILE apply to mysqlimport

as well.

Binary Log

Data loads incur a performance penalty and require additional free disk space (up to 4X more) when binary logging is enabled versus loading the same data with binary logging turned off. The severity of the

API Version 2014-10-31

205

Amazon Relational Database Service User Guide

Importing Data Considerations

performance penalty and the amount of free disk space required is directly proportional to the size of the transactions used to load the data.

Transaction Size

Transaction size plays an important role in MySQL data loads. It has a major influence on resource consumption, disk space utilization, resume process, time to recover, and input format (flat files or SQL).

This section describes how transaction size affects binary logging and makes the case for disabling binary logging during large data loads. As noted earlier, binary logging is enabled and disabled by setting the

Amazon RDS automated backup retention period. Non-zero values enable binary logging, and zero disables it. We also describe the impact of large transactions on InnoDB and why it's important to keep transaction sizes small.

Small Transactions

For small transactions, binary logging doubles the number of disk writes required to load the data.

Depending upon the upload rate, other database activity taking place during the load, and the capacity of your Amazon RDS DB instance, this can severely degrade performance for other database sessions and increase the time required to load the data.

The binary logs also consume disk space roughly equal to the amount of data loaded until they are backed up and removed. Fortunately, Amazon RDS minimizes this by backing up and removing binary logs on a frequent basis.

Large Transactions

Large transactions incur a 3X penalty for IOPS and disk consumption with binary logging enabled. This is due to the binary log cache spilling to disk, consuming disk space and incurring additional IO for each write. The cache cannot be written to the binlog until the transaction commits or rolls back, so it consumes disk space in proportion to the amount of data loaded. When the transaction commits, the cache must be copied to the binlog, creating a third copy of the data on disk.

Because of this, there must be at least three times as much free disk space available to load the data compared to loading with binary logging disabled. For example, 10GB of data loaded as a single transaction will consume at least 30GB disk space during the load: 10GB for the table + 10GB for the binary log cache + 10GB for the binary log itself. The cache file remains on disk until the session that created it terminates or the session fills its binary log cache again during another transaction. The binary log must remain on disk until backed up, so it may be some time before the extra 20GB is freed.

If the data was loaded using LOAD DATA LOCAL INFILE, yet another copy of the data is created if the database has to be recovered from a backup made prior to the load. During recovery, MySQL extracts the data from the binary log into a flat file and then executes LOAD DATA LOCAL INFILE, just as the original transaction, only this time the input file is local to the database server. Continuing with the example above, recovery will fail unless there is at least 40GB free disk space available.

Disable Binary Logging

Whenever possible, disable binary logging during large data loads to avoid the resource overhead and addition disk space requirements. In Amazon RDS, disabling binary logging is as simple as setting the backup retention period to zero. If you do this, it's recommended that you take a DB Snapshot of the database instance immediately before the load so that you can quickly and easily undo changes made during loading if the need arises.

After the load, set the backup retention period back to an appropriate (no zero) value.

You cannot set the backup retention period to zero if the DB instance is a source DB instance for Read

Replicas.

API Version 2014-10-31

206

Amazon Relational Database Service User Guide

Importing Data Considerations

InnoDB

The information in this section provides a strong argument for keeping transaction sizes small when using

InnoDB.

Undo

InnoDB generates undo to support features such as transaction rollback and MVCC . Undo is stored in the InnoDB system tablespace (usually ibdata1) and is retained until removed by the purge thread. The purge thread cannot advance beyond the undo of the oldest active transaction, so it is effectively blocked until the transaction commits or completes a rollback. If the database is processing other transactions during the load, their undo also accumulates in the system tablespace and cannot be removed even if they commit and no other transaction needs the undo for MVCC. In this situation, all transactions (including read-only transactions) that access any of the rows changed by any transaction (not just the load transaction) slow down as they scan through undo that could have been purged if not for the long running load transaction.

Since undo is stored in the system tablespace and since the system tablespace never shrinks in size, large data load transactions can cause the system tablespace to become quite large, consuming disk space that cannot be reclaimed without recreating the database from scratch.

Rollback

InnoDB is optimized for commits. Rolling back a large transaction can take a very, very long time. In some cases, it may be faster to perform a point-in-time recovery or restore a DB Snapshot.

Input Data Format

MySQL can accept incoming data in one of two forms: flat files and SQL. This section points out some key advantages and disadvantages of each.

Flat Files

Loading flat files with LOAD DATA LOCAL INFILE can be the fastest and least costly method of loading data as long as transactions are kept relatively small. Compared to loading the same data with SQL, flat files usually require less network traffic, lowering transmission costs and load much faster due to the reduced overhead in the database.

One Big Transaction

LOAD DATA LOCAL INFILE loads the entire flat file as one transaction. This isn't necessarily a bad thing.

If the size of the individual files can be kept small, this has a number of advantages:

• Resume Capability - Keeping track of which files have been loaded is easy. If a problem arises during the load, you can pick up where you left off with little effort. Some data may have to be retransmitted to Amazon RDS, but with small files, the amount retransmitted is minimal.

• Load data in parallel - If you've got IOPs and network bandwidth to spare with a single file load, loading in parallel may save time.

• Throttle the load rate - Data load impacting other processes? Throttle the load by increasing the interval between files.

Be Careful

The advantages of LOAD DATA LOCAL INFILE diminish rapidly as transaction size increases. If breaking up a large set of data into smaller ones isn't an option, SQL may be the better choice.

API Version 2014-10-31

207

Amazon Relational Database Service User Guide

Importing Data from a MySQL or MariaDB DB to an

Amazon RDS MySQL or MariaDB DB Instance

SQL

SQL has one main advantage over flat files: it's easy to keep transaction sizes small. However, SQL can take significantly longer to load than flat files and it can be difficult to determine where to resume the load after a failure. For example, mysqldump files are not restartable. If a failure occurs while loading a mysqldump file, the file will require modification or replacement before the load can resume. The alternative is to restore to the point in time prior to the load and replay the file once the cause of the failure has been corrected.

Take Checkpoints Using Amazon RDS Snapshots

If you have a load that's going to take several hours or even days, loading without binary logging isn't a very attractive prospect unless you can take periodic checkpoints. This is where the Amazon RDS DB

Snapshot feature comes in very handy. A DB Snapshot creates a point-in-time consistent copy of your database instance which can be used restore the database to that point in time after a crash or other mishap.

To create a checkpoint, simply take a DB Snapshot. Any previous DB Snapshots taken for checkpoints can be removed without affecting durability or restore time.

Snapshots are fast too, so frequent checkpointing doesn't add significantly to load time.

Decreasing Load Time

Here are some additional tips to reduce load times:

• Create all secondary indexes prior to loading. This is counter-intuitive for those familiar with other databases. Adding or modifying a secondary index causes MySQL to create a new table with the index changes, copy the data from the existing table to the new table, and drop the original table.

• Load data in PK order. This is particularly helpful for InnoDB tables where load times can be reduced by 75-80% and data file size cut in half.

• Disable foreign key constraints foreign_key_checks=0 For flat files loaded with LOAD DATA LOCAL

INFILE, this is required in many cases. For any load, disabling FK checks will provide significant performance gains. Just be sure to enable the constraints and verify the data after the load.

• Load in parallel unless already near a resource limit. Use partitioned tables when appropriate.

• Use multi-value inserts when loading with SQL to minimize statement execution overhead. When using mysqldump, this is done automatically.

• Reduce InnoDB log IO innodb_flush_log_at_trx_commit=0

Note

Using innodb_flush_log_at_trx_commit=0 causes InnoDB to flush its logs every second instead of at each commit. This provides a significant speed advantage, but can lead to data loss during a crash. Use with caution.

Importing Data from a MySQL or MariaDB DB to an Amazon RDS MySQL or MariaDB DB Instance

The simplest way to import data from an existing MySQL or MariaDB database to an Amazon RDS MySQL or MariaDB DB instance is to copy the database with mysqldump and pipe it directly into the Amazon

RDS MySQL or MariaDB DB instance. The mysqldump

command-line utility is commonly used to make backups and transfer data from one MySQL or MariaDB server to another. It is included with MySQL and

MariaDB client software.

API Version 2014-10-31

208

Amazon Relational Database Service User Guide

Importing Data from a MySQL or MariaDB DB to an

Amazon RDS MySQL or MariaDB DB Instance

The following example copies the world

sample database on the local host to an Amazon RDS MySQL

DB instance.

For Linux, OS X, or Unix: sudo mysqldump -u <local_user> \

--databases world \

--single-transaction \

--compress \

--order-by-primary \

-p <local_password> | mysql -u <RDS_user_name> \

--port=3306 \

--host=hostname \

-p <RDS_password>

For Windows: sudo mysqldump -u <local_user> ^

--databases world ^

--single-transaction ^

--compress ^

--order-by-primary ^

-p <local_password> | mysql -u <RDS_user_name> ^

--port=3306 ^

--host=hostname ^

-p <RDS_password>

Note

Make sure there is not a space between the

-p

option and the entered password.

Use the

--host

,

--user (-u)

,

--port

and

-p

options in the mysql

command to specify the hostname, username, port, and password to connect to your Amazon RDS DB instance. The host name is the DNS name from the Amazon RDS DB instance endpoint, for example, myinstance.123456789012.us-east-1.rds.amazonaws.com

. You can find the endpoint value in the instance details in the Amazon RDS Management Console.

The additional mysqldump

options that were specified to help improve operation performance and data integrity work as follows:

• Sort each table's data by its primary key using the

--order-by-primary

parameter. Taking this approach can dramatically reduce load times.

• Compress the data before sending it to Amazon RDS using the

--compress

parameter. This option can reduce network bandwidth consumption.

• Ensure that all of the data is consistent with a single point in time using the

--single-transaction parameter. If there are other processes changing the data while mysqldump

is reading it, use this option to maintain data integrity.

• You must create any stored procedures, triggers, functions, or events manually in your Amazon RDS database. If you have any of these objects in the database that you are copying, then exclude them when you run mysqldump

by including the following arguments with your mysqldump

command:

--routines=0 --triggers=0 --events=0

.

API Version 2014-10-31

209

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

Importing Data to an Amazon RDS MySQL or

MariaDB DB Instance with Reduced Downtime

When importing data from an external MySQL or MariaDB database that supports a live application to an Amazon RDS MySQL or MariaDB DB instance, you can use the following procedure to minimize the impact on application availability. This procedure can also help if you are working with a very large database, because you can reduce the cost of the import by reducing the amount of data that is passed across the network to AWS.

In this procedure, you transfer a copy of your database data to an Amazon EC2 instance and import the data into a new Amazon RDS DB instance.You then use replication to bring the Amazon RDS DB instance up-to-date with your live external instance, before redirecting your application to the Amazon RDS DB instance.You configure MariaDB replication based on global transaction identifiers (GTIDs) if the external instance is MariaDB 10.0.2 or greater and the target instance is Amazon RDS MariaDB; otherwise, you configure replication based on binary log coordinates. We recommend GTID-based replication if your external database supports it due to its enhanced crash-safety features. For more information, go to

Global Transaction ID in the MariaDB documentation.

Note

We don't recommend that you use this procedure with source MySQL databases from MySQL versions earlier than version 5.1, due to potential replication issues. For more information, go to

Replication Compatibility Between MySQL Versions in the MySQL documentation.

Create a Copy of Your Existing Database

The first step in the process of migrating a large amount of data to an Amazon RDS MySQL or MariaDB

DB instance with minimal downtime is to create a copy of the source data.

API Version 2014-10-31

210

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

You can use the mysqldump

utility to create a database backup in either SQL or delimited-text format.

You should do a test run with each format in a nonproduction environment to see which method minimizes the amount of time that mysqldump

runs.

You should also weigh mysqldump

performance against the benefit offered by using the delimited-text format for loading. A backup using delimited-text format creates a tab-separated text file for each table being dumped. You can load these files in parallel using the

LOAD DATA LOCAL INFILE

command to reduce the amount of time required to import your database. For more information about choosing a mysqldump

format and then loading the data, go to Using mysqldump For Backups in the MySQL documentation.

Before you start the backup operation, you must set the replication options on the MySQL or MariaDB database that you are copying to Amazon RDS. The replication options include enabling binary logging and setting a unique server ID. Setting these options will cause your server to start logging database transactions and prepare it to be a replication master later in this process.

Note

Your database needs to be stopped to set the replication options and be in read-only mode while the backup copy is created, so you need to schedule a maintenance window for these operations.

To Set Replication Options

1. From a command shell, stop the mysql

service: sudo service mysqld stop

2. Edit the my.cnf file (this file is usually under

/etc

): sudo vi /etc/my.cnf

Add the log_bin

and server_id

options to the

[mysqld]

section. The log_bin

option provides a file name identifier for binary log files. The server_id

option provides a unique identifier for the server in master-replica relationships.

API Version 2014-10-31

211

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

The following example shows the updated

[mysqld]

section of a my.cnf file:

[mysqld] log-bin=mysql-bin server-id=1

For more information, go to Setting the Replication Master Configuration in the MySQL documentation.

3. Start the mysql

service: sudo service mysqld start

To Create a Backup Copy of Your Existing Database

1. Create a backup of your data using the mysqldump

utility, specifying either SQL or delimited-text format.

You must specify

--master-data=2

in order to create a backup file that can be used to start replication between servers. For more information, go to the mysqldump documentation.

To improve performance and ensure data integrity, use the

--order-by-primary

and

--single-transaction

options of mysqldump

.

To avoid including the MySQL system database in the backup, do not use the

--all-databases option with mysqldump

. For more information, go to Creating a Dump Snapshot Using mysqldump in the MySQL documentation.

Use chmod

if necessary to make sure that the directory where the backup file is being created is writeable.

• To produce SQL output, use the following command:

For Linux, OS X, or Unix: sudo mysqldump \

--databases <database_name> \

--master-data=2 \

--single-transaction \

--order-by-primary \

-r backup.sql \

-u <local_user> \

-p <password>

For Windows: sudo mysqldump ^

--databases <database_name> ^

--master-data=2 ^

--single-transaction ^

--order-by-primary ^

-r backup.sql ^

-u <local_user> ^

-p <password>

• To produce delimited-text output, use the following command:

API Version 2014-10-31

212

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

For Linux, OS X, or Unix: sudo mysqldump \

--tab=<target_directory> \

--fields-terminated-by ',' \

--fields-enclosed-by '"' \

--lines-terminated-by 0x0d0a \

<database_name> \

--master-data=2 \

--single-transaction \

--order-by-primary \

-p <password>

For Windows: sudo mysqldump ^

--tab=<target_directory> ^

--fields-terminated-by ',' ^

--fields-enclosed-by '"' ^

--lines-terminated-by 0x0d0a ^

<database_name> ^

--master-data=2 ^

--single-transaction ^

--order-by-primary ^

-p <password>

Note

You must create any stored procedures, triggers, functions, or events manually in your

Amazon RDS database. If you have any of these objects in the database that you are copying, exclude them when you run mysqldump

by including the following arguments with your mysqldump

command:

--routines=0 --triggers=0 --events=0

.

When using the delimited-text format, a CHANGE MASTER TO comment is returned when you run mysqldump

. This comment contains the master log file name and position. If the external instance is other than MariaDB version 10.0.2 or greater, note the values for MASTER_LOG_FILE and

MASTER_LOG_POS; you need these values when setting up replication.

-- Position to start replication or point-in-time recovery from

--

-- CHANGE MASTER TO MASTER_LOG_FILE='mysql-bin-changelog.000001', MAS

TER_LOG_POS=107;

If you are using SQL format, you can get the master log file name and position in step 4 of the procedure at

Replicate Between Your External Database and New Amazon RDS DB Instance (p. 218)

.

If the external instance is MariaDB version 10.0.2 or greater, you can get the GTID in the next step.

2. If the external instance you are using is MariaDB version 10.0.2 or greater, you use GTID-based replication. Run

SHOW MASTER STATUS

on the external MariaDB instance to get the binary log file name and position, then convert them to a GTID by running

BINLOG_GTID_POS

on the external

MariaDB instance:

SELECT BINLOG_GTID_POS('<binary log file name>', <binary log file position>);

Note the GTID returned; you need it to configure replication.

API Version 2014-10-31

213

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

3. Compress the copied data to reduce the amount of network resources needed to copy your data to the Amazon RDS DB instance. Take note of the size of the backup file; you need this information when determining how large an Amazon EC2 instance to create. When you are done, compress the backup file using GZIP or your preferred compression utility.

• To compress SQL output, use the following command: gzip backup.sql

• To compress delimited-text output, use the following command: tar -zcvf backup.tar.gz <target_directory>

Create an Amazon EC2 Instance and Copy the Compressed

Database

Copying your compressed database backup file to an Amazon EC2 instance takes fewer network resources than doing a direct copy of uncompressed data between database instances. Once your data is in Amazon

EC2, you can copy it from there directly to your Amazon RDS MySQL or MariaDB DB instance. Note that for you to save on the cost of network resources, your Amazon EC2 instance must be in the same region as your Amazon RDS DB instance. Having the Amazon EC2 instance in the same region as your Amazon

RDS DB instance also reduces network latency during the import.

To Create an Amazon EC2 Instance and Copy Your Data

1. In the region where you will create your Amazon RDS instance, create an Amazon Virtual Private

Cloud (Amazon VPC), a VPC security group, and a VPC subnet. Ensure that the inbound rules for your VPC security group allow the IP addresses required for your application to connect to AWS. This can be a range of IP addresses (for example,

203.0.113.0/24

), or another VPC security group. You can use the Amazon VPC Console to create and manage VPCs, subnets, and security groups. For

API Version 2014-10-31

214

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

more information, go to Getting Started with Amazon VPC in the Amazon Virtual Private Cloud Getting

Started Guide.

Note

Older AWS accounts can also launch instances in Amazon EC2-Classic mode. In this case, make sure that the inbound rules in the DB security group for your Amazon RDS instance allow access for your EC2-Classic instance using the Amazon EC2 private IP address. For more information, see

Working with DB Security Groups (p. 740) .

2. Open the Amazon EC2 Console and select the region to contain both your Amazon EC2 instance and your Amazon RDS DB instance. Launch an Amazon EC2 instance using the VPC, subnet, and security group that you created in Step 1. Ensure that you select an instance type with enough storage for your database backup file when it is uncompressed. For details on Amazon EC2 instances, go to Getting

Started with Amazon EC2 Linux Instances in the Amazon Elastic Compute Cloud User Guide for Linux.

3. Edit the VPC security group and add the private IP address for your new Amazon EC2 instance. The private IP address is used when connecting to your Amazon RDS DB instance.You can find the private

IP address on the Details tab of the Instance pane in the Amazon Elastic Compute Cloud. For more information on modifying a VPC security group, go to Security Groups for Your VPC in the Amazon

Virtual Private Cloud User Guide.

4. Copy your compressed database backup file from your local system to your Amazon EC2 instance.

Use chmod

if necessary to make sure you have write permission for the target directory of the Amazon

EC2 instance. You can use scp

or an SSH client to copy the file. The following is an example:

$ scp -r -i <key pair>.pem backup.sql.gz [email protected]<EC2 DNS>:/<target_direct ory>/backup.sql.gz

Important

Be sure to copy sensitive data using a secure network transfer protocol.

5. Connect to your Amazon EC2 instance and install the latest updates and the MySQL client tools using the following commands: sudo yum update -y sudo yum install mysql-server -y

For more information, go to Connect to Your Instance in the Amazon Elastic Compute Cloud User

Guide for Linux.

6. While connected to your Amazon EC2 instance, decompress your database backup file. For example:

• To decompress SQL output, use the following command: gzip backup.sql.gz -d

• To decompress delimited-text output, use the following command: tar xzvf backup.tar.gz

Create an Amazon RDS MySQL or MariaDB DB instance and

Import Data from Your Amazon EC2 Instance

By creating an Amazon RDS MySQL or MariaDB DB instance in the same region as your Amazon EC2 instance, you can import the database backup file from Amazon EC2 faster than you can import it over the Internet.

API Version 2014-10-31

215

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

To Create an Amazon RDS MySQL or MariaDB DB Instance and Import Your

Data

1. Determine which DB instance class and what amount of storage space is required to support the expected workload for this Amazon RDS DB instance. This process should include deciding what is sufficient space and processing capacity for your data load procedures, and also what is required to handle the production workload. You can estimate this based on the size and resources of the source

MySQL or MariaDB database. For more information, see

DB Instance Class (p. 104) .

2. Determine if Amazon RDS provisioned input/output operations per second (IOPS) is required to support the workloads. Provisioned IOPS storage delivers fast throughput for online transaction processing

(OLTP) workloads, which are I/O intensive. For more information, see

Amazon RDS Provisioned IOPS

Storage to Improve Performance (p. 125)

.

3. Open the Amazon RDS Console . In the upper-right corner, select the region that contains your Amazon

EC2 instance.

4. Choose Launch a DB Instance, and then go through the steps to select options for your DB instance: a. On the Select Engine page, choose MySQL or MariaDB, as appropriate.

b. On the Do you plan to use this database for production purposes? page, choose No to skip configuring Multi-AZ deployment and provisioned IOPS storage.

c. In the Instance Specifications section of the Specify DB Details page, specify the DB instance class and allocated storage size that you have determined are appropriate. Choose No for Multi-AZ

Deployment. Specify whether or not to use Provisioned IOPS as you determined in Step 2. For DB

Engine Version, choose the version that is compatible with your source MySQL instance, as follows:

• If your source instance is MySQL 5.1.x, the Amazon RDS DB instance must be MySQL 5.5.x.

• If your source instance is MySQL 5.5.x, the Amazon RDS DB instance must be MySQL 5.5.x or greater.

• If your source instance is MySQL 5.6.x, the Amazon RDS DB instance must be MySQL 5.6.x or

MariaDB.

• If your source instance is MySQL 5.7.x, the Amazon RDS DB instance must be MySQL 5.7.x,

5.6.x, or MariaDB.

API Version 2014-10-31

216

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

• If your source instance is MariaDB 5.1, 5.2, or 5.3, the Amazon RDS DB instance must be MySQL

5.1.x.

• If your source instance is MariaDB 5.5 or greater, the Amazon RDS DB instance must be MariaDB.

Important

If your source MySQL instance runs a version prior to version 5.6.4, or if the source MySQL instance was upgraded from a version prior to version 5.6.4, then you must create an

Amazon RDS MySQL DB instance running version 5.6.23 or later.

Accept the default values for all other boxes in this section.

In the Settings section, specify the requested database and user information. Choose Next when you are done.

d. In the Network & Security section of the Configure Advanced Settings page, select the same

VPC and VPC security group as for your Amazon EC2 instance. This approach ensures that your

Amazon EC2 instance and your Amazon RDS instance are visible to each other over the network.

Set Publicly Accessible to

Yes

. Your DB instance must be publicly accessible to set up replication with your source database as described later in this topic. Accept the default values for all other boxes in this section.

In the Database Options section, specify a database name. Accept the default values for all other boxes in this section.

In the Backup section, set the backup retention period to 0. Accept the default values for all other boxes in this section.

In the Maintenance section, accept the default values for all of the boxes. Choose Launch Instance when you are done.

Do not configure multiple Availability Zones, backup retention, or Read Replicas until after you have imported the database backup. When that import is done, you can set Multi-AZ and backup retention the way you want them for the production instance. For a detailed walkthrough of creating an Amazon

RDS MySQL DB instance, see Creating a DB Instance Running the MySQL Database Engine (p. 188)

.

For a detailed walkthrough of creating an Amazon RDS MariaDB DB instance, see

Creating a DB

Instance Running the MariaDB Database Engine (p. 579)

.

5. Review the default configuration options for the Amazon RDS DB instance. In the left navigation pane of the Amazon RDS Management Console, choose Parameter Groups , and then choose the magnifying glass icon next to the default.mysqlx.x or default.mariadbx.x parameter group. If this parameter group does not have the configuration options that you want, find a different one that does,

or create a new parameter group. For more information on creating a parameter group, see Working with DB Parameter Groups (p. 724) . If you decide to use a different parameter group than the default,

associate it with your Amazon RDS DB instance. For more information, see

Modifying a DB Instance

Running the MySQL Database Engine (p. 200) or

Modifying a DB Instance Running the MariaDB

Database Engine (p. 592) .

6. Connect to the new Amazon RDS DB instance as the master user, and create the users required to support the administrators, applications, and services that need to access the instance. The host name for the Amazon RDS DB instance is the Endpoint value for this instance without including the port number, for example mysampledb.claxc2oy9ak1.us-west-2.rds.amazonaws.com

. You can find the endpoint value in the instance details in the Amazon RDS Management Console.

7. Connect to your Amazon EC2 instance. For more information, go to Connect to Your Instance in the

Amazon Elastic Compute Cloud User Guide for Linux.

8. Connect to your Amazon RDS DB instance as a remote host from your Amazon EC2 instance using the mysql

command. The following is an example: mysql -h <host_name> -P 3306 -u <db_master_user> -p

The host name is the DNS name from the Amazon RDS DB instance endpoint.

API Version 2014-10-31

217

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

9. At the mysql

prompt, run the source

command and pass it the name of your database dump file to load the data into the Amazon RDS DB instance.

• For SQL format, use the following command: mysql> source backup.sql;

• For delimited-text format, first create the database (if it isn’t the default database you created when setting up the Amazon RDS DB instance):

$ mysql> create database <database_name>;

$ mysql> use <database_name>;

Then create the tables:

$ mysql> source <table1>.sql

$ mysql> source <table2>.sql

etc…

Then import the data:

$ mysql> LOAD DATA LOCAL INFILE 'table1.txt' INTO TABLE table1 FIELDS TER

MINATED BY ',' ENCLOSED BY '"' LINES TERMINATED BY '0x0d0a';

$ mysql> LOAD DATA LOCAL INFILE 'table2.txt' INTO TABLE table2 FIELDS TER

MINATED BY ',' ENCLOSED BY '"' LINES TERMINATED BY '0x0d0a'; etc…

To improve performance, you can perform these operations in parallel from multiple connections so that all of your tables get created and then loaded at the same time.

Note

If you used any data-formatting options with mysqldump

when you initially dumped the table, you must use the same options with mysqlimport

or LOAD DATA LOCAL INFILE to ensure proper interpretation of the data file contents.

10. Run a simple SELECT query against one or two of the tables in the imported database to verify that the import was successful.

11. This procedure no longer requires the Amazon EC2 instance. If you no longer need the Amazon EC2 instance that you imported your data from, then you can terminate it.

Replicate Between Your External Database and New Amazon

RDS DB Instance

Because your source database was likely updated during the time that it took to copy and transfer the data to the Amazon RDS MySQL or MariaDB DB instance, you can use replication to bring the copied database up-to-date with the source database.

API Version 2014-10-31

218

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

Note

The permissions required to start replication on an Amazon RDS DB instance are restricted and not available to your Amazon RDS master user. Because of this, you must use either the Amazon

RDS

mysql.rds_set_external_master (p. 244) command or the

mysql.rds_set_external_master_gtid (p. 608)

command to configure replication, and the

mysql.rds_start_replication (p. 246) command to start replication between your live database and

your Amazon RDS database.

To Start Replication

Earlier, you enabled binary logging and set a unique server ID for your source database. Now you can set up your Amazon RDS DB instance as a replica with your live database as the replication master.

1. In the Amazon RDS Management Console, add the IP address of the server that hosts the source database to the VPC security group for the Amazon RDS DB instance. For more information on modifying a VPC security group, go to Security Groups for Your VPC in the Amazon Virtual Private

Cloud User Guide.

You might also need to configure your local network to permit connections from the IP address of your

Amazon RDS DB instance, so that it can communicate with your source instance. To find the IP address of the Amazon RDS DB instance, use the host

command: host <RDS_MySQL_DB_host_name>

The host name is the DNS name from the Amazon RDS DB instance endpoint, for example myinstance.123456789012.us-east-1.rds.amazonaws.com

. You can find the endpoint value in the instance details in the Amazon RDS Management Console.

2. Using the client of your choice, connect to the source instance and create a user to be used for replication. This account is used solely for replication and must be restricted to your domain to improve security. The following is an example:

API Version 2014-10-31

219

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

CREATE USER 'repl_user'@'mydomain.com' IDENTIFIED BY '<password>';

3. For the source instance, grant

REPLICATION CLIENT

and

REPLICATION SLAVE

privileges to your replication user. For example, to grant the

REPLICATION CLIENT

and

REPLICATION SLAVE

privileges on all databases for the ' repl_user

' user for your domain, issue the following command:

GRANT REPLICATION CLIENT, REPLICATION SLAVE ON *.* TO 'repl_user'@'mydo main.com' IDENTIFIED BY '<password>';

4. If you used SQL format to create your backup file and the external instance is not MariaDB 10.0.2 or greater, look at the contents of that file: cat backup.sql

The file includes a CHANGE MASTER TO comment that contains the master log file name and position.

This comment is included in the backup file when you use the

--master-data

option with mysqldump

.

Note the values for MASTER_LOG_FILE and MASTER_LOG_POS.

--

-- Position to start replication or point-in-time recovery from

--

-- CHANGE MASTER TO MASTER_LOG_FILE='mysql-bin-changelog.000001', MAS

TER_LOG_POS=107;

If you used delimited text format to create your backup file and the external instance is not MariaDB

10.0.2 or greater, you should already have binary log coordinates from step 1 of the procedure at

To

Create a Backup Copy of Your Existing Database (p. 212) .

If the external instance is MariaDB 10.0.2 or greater, you should already have the GTID from which to

start replication from step 2 of the procedure at To Create a Backup Copy of Your Existing

Database (p. 212) .

5. Make the Amazon RDS DB instance the replica. If the external instance is not MariaDB 10.0.2 or greater, connect to the Amazon RDS DB instance as the master user and identify the source database as the replication master by using the

mysql.rds_set_external_master (p. 244)

command. Use the master log file name and master log position that you determined in the previous step if you have a

SQL format backup file, or that you determined when creating the backup files if you used delimited-text format. The following is an example:

CALL mysql.rds_set_external_master ('mymasterserver.mydomain.com', 3306,

'repl_user', '<password>', 'mysql-bin-changelog.000001', 107, 0);

If the external instance is MariaDB 10.0.2 or greater, connect to the Amazon RDS DB instance as the master user and identify the source database as the replication master by using the

mysql.rds_set_external_master_gtid (p. 608)

command. Use the GTID that you determined in step 2

of the procedure at To Create a Backup Copy of Your Existing Database (p. 212) . The following is an

example:

CALL mysql.rds_set_external_master_gtid ('Sourcedb.some.com',3306,'Replicatio nUser','SomePassW0rd','0-123-456',0);

API Version 2014-10-31

220

Amazon Relational Database Service User Guide

Importing Data to an Amazon RDS MySQL or MariaDB

DB Instance with Reduced Downtime

6. On the Amazon RDS DB instance, issue the

mysql.rds_start_replication (p. 246) command to start

replication:

CALL mysql.rds_start_replication;

7. On the Amazon RDS DB instance, run the SHOW SLAVE STATUS command to determine when the replica is up-to-date with the replication master. The results of the SHOW SLAVE STATUS command include the Seconds_Behind_Master field. When the Seconds_Behind_Master field returns 0, then the replica is up-to-date with the master.

8. After the Amazon RDS DB instance is up-to-date, enable automated backups so you can restore that database if needed. You can enable or modify automated backups for your Amazon RDS DB instance using the Amazon RDS Management Console . For more information, see

Working With Automated

Backups (p. 674)

.

Redirect Your Live Application to Your Amazon RDS Instance

Once the Amazon RDS MySQL or MariaDB DB instance is up-to-date with the replication master, you can now update your live application to use the Amazon RDS instance.

To Redirect Your Live Application to Your Amazon RDS MySQL or MariaDB

DB Instance and Stop Replication

1. To add the VPC security group for the Amazon RDS DB instance, add the IP address of the server that hosts the application. For more information on modifying a VPC security group, go to Security

Groups for Your VPC in the Amazon Virtual Private Cloud User Guide.

2. Verify that the Seconds_Behind_Master field in the SHOW SLAVE STATUS command results is 0, which indicates that the replica is up-to-date with the replication master:

API Version 2014-10-31

221

Amazon Relational Database Service User Guide

Importing Data From Any Source to a MySQL or MariaDB

DB Instance

SHOW SLAVE STATUS;

3. Stop replication for the Amazon RDS instance using the mysql.rds_stop_replication (p. 247) command:

CALL mysql.rds_stop_replication;

4. Update your application to use the Amazon RDS DB instance. This update typically involves changing the connection settings to identify the host name and port of the Amazon RDS DB instance, the user account and password to connect with, and the database to use.

5. Run the

mysql.rds_reset_external_master (p. 246) command on your Amazon RDS DB instance to

reset the replication configuration so this instance is no longer identified as a replica:

CALL mysql.rds_reset_external_master;

6. Enable additional Amazon RDS features such as Multi-AZ support and Read Replicas. For more information, see

High Availability (Multi-AZ) (p. 112) and

Working with PostgreSQL, MySQL, and MariaDB

Read Replicas (p. 649)

.

Importing Data From Any Source to a MySQL or

MariaDB DB Instance

If you have more than 1GB of data to load, or if your data is coming from somewhere other than a MySQL or MariaDB database, we recommend creating flat files and loading them with mysqlimport. mysqlimport is another command line utility bundled with the MySQL and MariaDB client software whose purpose is to load flat files into MySQL or MariaDB. For information about mysqlimport, go to mysqlimport - A Data

Import Program in the MySQL documentation.

We also recommend creating DB Snapshots of the target Amazon RDS DB instance before and after the data load. Amazon RDS DB Snapshots are complete backups of your DB instance that can be used to restore your DB instance to a known state. When you initiate a DB Snapshot, I/O operations to your database instance are momentarily suspended while your database is backed up.

Creating a DB Snapshot immediately before the load allows you restore the database to its state prior to the load, should the need arise. A DB Snapshot taken immediately after the load protects you from having to load the data again in case of a mishap and can also be used to seed new database instances.

The following list shows the steps to take. Each step is discussed in more detail below.

1. Create flat files containing the data to be loaded.

2. Stop any applications accessing the target DB instance.

3. Create a DB Snapshot.

4. Consider disabling Amazon RDS automated backups.

5. Load the data using mysqlimport.

6. Enable automated backups again.

Step 1: Create Flat Files Containing the Data to be Loaded

Use a common format, such as CSV (Comma-Separated Values), to store the data to be loaded. Each table must have its own file; data for multiple tables cannot be combined in the same file. Give each file

API Version 2014-10-31

222

Amazon Relational Database Service User Guide

Importing Data From Any Source to a MySQL or MariaDB

DB Instance

the same name as the table it corresponds to. The file extension can be anything you like. For example, if the table name is "sales", the file name could be "sales.csv" or "sales.txt", but not "sales_01.csv".

Whenever possible, order the data by the primary key of the table being loaded. This drastically improves load times and minimizes disk storage requirements.

The speed and efficiency of this procedure is dependent upon keeping the size of the files small. If the uncompressed size of any individual file is larger than 1GB, split it into multiple files and load each one separately.

On Unix-like systems (including Linux), use the 'split' command. For example, the following command splits the sales.csv file into multiple files of less than 1GB, splitting only at line breaks (-C 1024m). The new files will be named sales.part_00, sales.part_01, etc.

split -C 1024m -d sales.csv sales.part_

Similar utilities are available on other operating systems.

Step 2: Stop Any Applications Accessing the Target DB

Instance

Before starting a large load, stop all application activity accessing the target DB instance that you will be loading to (particularly if other sessions will be modifying the tables being loaded or tables they reference).

This will reduce the risk of constraint violations occurring during the load, improve load performance, and make it possible to restore the database instance to the point just prior to the load without losing changes made by processes not involved in the load.

Of course, this may not be possible or practical. If you are unable to stop applications from accessing the

DB instance prior to the load, take steps to ensure the availability and integrity of your data. The specific steps required vary greatly depending upon specific use cases and site requirements.

Step 3: Create a DB Snapshot

If you will be loading data into a new DB instance that contains no data, you may skip this step. Otherwise, creating a DB Snapshot of your DB instance will allow you to restore the database Instance to the point just prior to the load, if it becomes necessary. As previously mentioned, when you initiate a DB Snapshot,

I/O operations to your database instance are suspended for a few minutes while the database is backed up.

In the example below, we use the AWS CLI create-db-snapshot

command to create a DB Snapshot of our AcmeRDS instance and give the DB Snapshot the identifier "preload".

For Linux, OS X, or Unix: aws rds create-db-snapshot \

--db-instance-identifier

AcmeRDS

\

--db-snapshot-identifier

preload

For Windows: aws rds create-db-snapshot ^

--db-instance-identifier

AcmeRDS

^

--db-snapshot-identifier

preload

API Version 2014-10-31

223

Amazon Relational Database Service User Guide

Importing Data From Any Source to a MySQL or MariaDB

DB Instance

You can also use the restore from DB Snapshot functionality in order to create test database instances for dry runs or to "undo" changes made during the load.

It is important to keep in mind that restoring a database from a DB Snapshot creates a new DB instance which, like all DB instances, has a unique identifier and endpoint. If you need to restore the database instance without changing the endpoint, you must first delete the DB instance so that the endpoint can be reused.

For example, to create a DB instance for dry runs or other testing, you would give the DB instance its own identifier. In the example, "AcmeRDS-2" is the identifier and we would connect to the database instance using the endpoint associated with AcmeRDS-2.

For Linux, OS X, or Unix: aws rds restore-db-instance-from-db-snapshot \

--db-instance-identifier

AcmeRDS-2

\

--db-snapshot-identifier

preload

For Windows: aws rds restore-db-instance-from-db-snapshot ^

--db-instance-identifier

AcmeRDS-2

^

--db-snapshot-identifier

preload

To reuse the existing endpoint, we must first delete the database instance and then give the restored database the same identifier:

For Linux, OS X, or Unix: aws rds delete-db-instance \

--db-instance-identifier

AcmeRDS

\

--final-db-snapshot-identifier

AcmeRDS-Final

aws rds restore-db-instance-from-db-snapshot \

--db-instance-identifier

AcmeRDS

\

--db-snapshot-identifier

preload

For Windows: aws rds delete-db-instance ^

--db-instance-identifier

AcmeRDS

^

--final-db-snapshot-identifier

AcmeRDS-Final

aws rds restore-db-instance-from-db-snapshot ^

--db-instance-identifier

AcmeRDS

^

--db-snapshot-identifier

preload

Note that the example takes a final DB Snapshot of the database instance before deleting it. This is optional, but recommended.

Step 4: Consider Disabling Amazon RDS Automated Backups

Warning: DO NOT DISABLE AUTOMATED BACKUPS IF YOU NEED TO RETAIN THE ABILITY TO

PERFORM POINT-IN-TIME RECOVERY. Disabling automated backups erases all existing backups, so point-in-time recovery will not be possible after automated backups have been disabled. Disabling

API Version 2014-10-31

224

Amazon Relational Database Service User Guide

Importing Data From Any Source to a MySQL or MariaDB

DB Instance

automated backups is a performance optimization and is not required for data loads. Note that DB

Snapshots are not affected by disabling automated backups. All existing DB Snapshots are still available for restore.

Disabling automated backups will reduce load time by about 25% and reduce the amount of storage space required during the load. If you will be loading data into a new DB instance that contains no data, disabling backups is an easy way to speed up the load and avoid using the additional storage needed for backups. However, if you will be loading into a DB instance that already contains data; you must weigh the benefits of disabling backups against the impact of losing the ability to perform point-in-time-recovery.

DB instances have automated backups enabled by default (with a one day retention period). In order to disable automated backups, you must set the backup retention period to zero. After the load, you can re-enable backups by setting the backup retention period to a non-zero value. In order to enable or disable backups, Amazon RDS must shut the DB instance down and restart it in order to turn MySQL or MariaDB logging on or off.

Use the AWS CLI modify-db-instance

command to set the backup retention to zero and apply the change immediately. Setting the retention period to zero requires a DB instance restart, so wait until the restart has completed before proceeding.

For Linux, OS X, or Unix: aws rds modify-db-instance \

--db-instance-identifier

AcmeRDS

\

--apply-immediately \

--backup-retention-period

0

For Windows: aws rds modify-db-instance ^

--db-instance-identifier

AcmeRDS

^

--apply-immediately ^

--backup-retention-period

0

You can check the status of your DB instance with the AWS CLI describe-db-instances

command.

The example displays the status of the AcmeRDS database instance and includes the --headers option to show column headings.

For Linux, OS X, or Unix: aws rds describe-db-instances \

--db-instance-identifier

AcmeRDS

\

--headers

For Windows: aws rds describe-db-instances ^

--db-instance-identifier

AcmeRDS

^

--headers

When the Status column shows that the database is available, you're ready to proceed.

API Version 2014-10-31

225

Amazon Relational Database Service User Guide

Importing Data From Any Source to a MySQL or MariaDB

DB Instance

Step 5: Load the Data

Use the mysqlimport utility to load the flat files into Amazon RDS. In the example we tell mysqlimport to load all of the files named "sales" with an extension starting with "part_". This is a convenient way to load all of the files created in the "split" example. Use the --compress option to minimize network traffic. The

--fields-terminated-by=',' option is used for CSV files and the --local option specifies that the incoming data is located on the client. Without the --local option, the Amazon RDS DB instance will look for the data on the database host, so always specify the --local option.

For Linux, OS X, or Unix: mysqlimport --local \

--compress \

--user=username \

--password \

--host=hostname \

--fields-terminated-by=',' Acme sales.part_*

For Windows: mysqlimport --local ^

--compress ^

--user=username ^

--password ^

--host=hostname ^

--fields-terminated-by=',' Acme sales.part_*

For very large data loads, take additional DB Snapshots periodically between loading files and note which files have been loaded. If a problem occurs, you can easily resume from the point of the last DB Snapshot, avoiding lengthy reloads.

Step 6: Enable Amazon RDS Automated Backups

Once the load is finished, re-enable Amazon RDS automated backups by setting the backup retention period back to its pre-load value. As noted earlier, Amazon RDS will restart the DB instance, so be prepared for a brief outage.

In the example, we use the AWS CLI modify-db-instance command to enable automated backups for the

AcmeRDS DB instance and set the retention period to 1 day.

For Linux, OS X, or Unix: aws rds modify-db-instance \

--db-instance-identifier

AcmeRDS

\

--backup-retention-period

1

\

--apply-immediately

For Windows: aws rds modify-db-instance ^

--db-instance-identifier

AcmeRDS

^

--backup-retention-period

1

^

--apply-immediately

API Version 2014-10-31

226

Amazon Relational Database Service User Guide

Replication with a MySQL or MariaDB Instance Running

External to Amazon RDS

Replication with a MySQL or MariaDB Instance

Running External to Amazon RDS

You can set up replication between an Amazon RDS MySQL or MariaDB DB instance and a MySQL or

MariaDB instance that is external to Amazon RDS. Use the procedure in this topic to configure replication in all cases except when the external instance is MariaDB version 10.0.2 or greater and the Amazon RDS instance is MariaDB. In that case, use the procedure at

Configuring GTID-Based Replication into an

Amazon RDS MariaDB DB instance (p. 597)

to set up GTID-based replication.

Be sure to follow these guidelines when you set up an external replication master and a replica on Amazon

RDS:

• Monitor failover events for the Amazon RDS DB instance that is your replica. If a failover occurs, then the DB instance that is your replica might be recreated on a new host with a different network address.

For information on how to monitor failover events, see Using Amazon RDS Event Notification (p. 781)

.

• Maintain the binlogs on your master instance until you have verified that they have been applied to the replica. This maintenance ensures that you can restore your master instance in the event of a failure.

• Turn on automated backups on your Amazon RDS DB instance. Turning on automated backups ensures that you can restore your replica to a particular point in time if you need to re-synchronize your master

and replica. For information on backups and point-in-time restore, see Backing Up and Restoring (p. 673)

.

Note

The permissions required to start replication on an Amazon RDS DB instance are restricted and not available to your Amazon RDS master user. Because of this, you must use the Amazon RDS

mysql.rds_set_external_master (p. 244) and

mysql.rds_start_replication (p. 246) commands to

set up replication between your live database and your Amazon RDS database.

Start replication between an external master instance and a

DB instance on Amazon RDS

1. Make the source MySQL or MariaDB instance read-only: mysql> FLUSH TABLES WITH READ LOCK; mysql> SET GLOBAL read_only = ON;

2. Run the

SHOW MASTER STATUS

command on the source MySQLor MariaDB instance to determine the binlog location. You will receive output similar to the following example:

File Position

------------------------------------

mysql-bin-changelog.000031 107

------------------------------------

3. Copy the database from the external instance to the Amazon RDS DB instance using mysqldump

.

For very large databases, you might want to use the procedure in Importing Data to an Amazon RDS

MySQL or MariaDB DB Instance with Reduced Downtime (p. 210) .

For Linux, OS X, or Unix: mysqldump --databases <database_name> \

--single-transaction \

API Version 2014-10-31

227

Amazon Relational Database Service User Guide

Replication with a MySQL or MariaDB Instance Running

External to Amazon RDS

--compress \

--order-by-primary \

-u <local_user> \

-p<local_password> | mysql \

--host=hostname \

--port=3306 \

-u <RDS_user_name> \

-p<RDS_password>

For Windows: mysqldump --databases <database_name> ^

--single-transaction ^

--compress ^

--order-by-primary ^

-u <local_user> \

-p<local_password> | mysql ^

--host=hostname ^

--port=3306 ^

-u <RDS_user_name> ^

-p<RDS_password>

Note

Make sure there is not a space between the

-p

option and the entered password.

Use the

--host

,

--user (-u)

,

--port

and

-p

options in the mysql

command to specify the hostname, username, port, and password to connect to your Amazon RDS DB instance. The host name is the DNS name from the Amazon RDS DB instance endpoint, for example, myinstance.123456789012.us-east-1.rds.amazonaws.com

. You can find the endpoint value in the instance details in the Amazon RDS Management Console.

4. Make the source MySQL or MariaDB instance writeable again: mysql> SET GLOBAL read_only = OFF; mysql> UNLOCK TABLES;

For more information on making backups for use with replication, go to Backing Up a Master or Slave by Making It Read Only in the MySQL documentation.

5. In the Amazon RDS Management Console, add the IP address of the server that hosts the external database to the VPC security group for the Amazon RDS DB instance. For more information on modifying a VPC security group, go to Security Groups for Your VPC in the Amazon Virtual Private

Cloud User Guide.

You might also need to configure your local network to permit connections from the IP address of your

Amazon RDS DB instance, so that it can communicate with your external MySQL or MariaDB instance.

To find the IP address of the Amazon RDS DB instance, use the host

command: host <RDS_MySQL_DB_host_name>

The host name is the DNS name from the Amazon RDS DB instance endpoint.

6. Using the client of your choice, connect to the external instance and create a user that will be used for replication. This account is used solely for replication and must be restricted to your domain to improve security. The following is an example:

API Version 2014-10-31

228

Amazon Relational Database Service User Guide

Using Replication to Export MySQL Data

CREATE USER 'repl_user'@'mydomain.com' IDENTIFIED BY '<password>';

7. For the external instance, grant

REPLICATION CLIENT

and

REPLICATION SLAVE

privileges to your replication user. For example, to grant the

REPLICATION CLIENT

and

REPLICATION SLAVE

privileges on all databases for the ' repl_user

' user for your domain, issue the following command:

GRANT REPLICATION CLIENT, REPLICATION SLAVE ON *.* TO 'repl_user'@'mydo main.com' IDENTIFIED BY '<password>';

8. Make the Amazon RDS DB instance the replica. Connect to the Amazon RDS DB instance as the master user and identify the external MySQL or MariaDB database as the replication master by using the

mysql.rds_set_external_master (p. 244)

command. Use the master log file name and master log position that you determined in Step 2. The following is an example:

CALL mysql.rds_set_external_master ('mymasterserver.mydomain.com', 3306,

'repl_user', '<password>', 'mysql-bin-changelog.000031', 107, 0);

9. On the Amazon RDS DB instance, issue the

mysql.rds_start_replication (p. 246) command to start

replication:

CALL mysql.rds_start_replication;

Using Replication to Export MySQL Data

You can use replication to export data from a MySQL 5.6 or later DB instance to a MySQL instance running external to Amazon RDS. The MySQL instance external to Amazon RDS can be running either on-premises in your data center, or on an Amazon EC2 instance. The MySQL DB instance must be running version 5.6.13 or later. The MySQL instance external to Amazon RDS must be running the same version as the Amazon RDS instance, or a later version.

Replication to an instance of MySQL running external to Amazon RDS is only supported during the time it takes to export a database from a MySQL DB instance. The replication should be terminated when the data has been exported and applications can start accessing the external instance.

The following list shows the steps to take. Each step is discussed in more detail in later sections.

1. Prepare an instance of MySQL running external to Amazon RDS.

2. Configure the MySQL DB instance to be the replication source.

3. Use mysqldump

to transfer the database from the Amazon RDS instance to the instance external to

Amazon RDS.

4. Start replication to the instance running external to Amazon RDS.

5. After the export completes, stop replication.

Prepare an Instance of MySQL External to Amazon RDS

Install an instance of MySQL external to Amazon RDS.

Connect to the instance as the master user, and create the users required to support the administrators, applications, and services that access the instance.

API Version 2014-10-31

229

Amazon Relational Database Service User Guide

Using Replication to Export MySQL Data

Follow the directions in the MySQL documentation to prepare the instance of MySQL running external to Amazon RDS as a replica. For more information, go to Setting the Replication Slave Configuration .

Configure an egress rule for the external instance to operate as a Read Replica during the export. The egress rule will allow the MySQL Read Replica to connect to the MySQL DB instance during replication.

Specify an egress rule that allows TCP connections to the port and IP address of the source Amazon

RDS MySQL DB instance.

If the Read Replica is running in an Amazon EC2 instance in an Amazon VPC, specify the egress rules in a VPC security group. If the Read Replica is running in an Amazon EC2 instance that is not in a VPC, specify the egress rule in an Amazon EC2 security group. If the Read Replica is installed on-premises, specify the egress rule in a firewall.

If the Read Replica is running in a VPC, configure VPC ACL rules in addition to the security group egress rule. For more information about Amazon VPC network ACLs, go to Network ACLs .

• ACL ingress rule allowing TCP traffic to ports 1024-65535 from the IP address of the source MySQL

DB instance.

• ACL egress rule: allowing outbound TCP traffic to the port and IP address of the source MySQL DB instance.

Prepare the Replication Source

Prepare the MySQL DB instance as the replication source.

Ensure your client computer has enough disk space available to save the binary logs while setting up replication.

Create a replication account by following the directions in Creating a User For Replication .

Configure ingress rules on the system running the replication source MySQL DB instance that will allow the external MySQL Read Replica to connect during replication. Specify an ingress rule that allows TCP connections to the port used by the Amazon RDS instance from the IP address of the MySQL Read

Replica running external to Amazon RDS.

If the Amazon RDS instance is running in a VPC, specify the ingress rules in a VPC security group. If the

Amazon RDS instance is not running in an in a VPC, specify the ingress rules in a database security group.

If the Amazon RDS instance is running in a VPC, configure VPC ACL rules in addition to the security group ingress rule. For more information about Amazon VPC network ACLs, go to Network ACLs .

• ACL ingress rule: allow TCP connections to the port used by the Amazon RDS instance from the IP address of the external MySQL Read Replica.

• ACL egress rule: allow TCP connections from ports 1024-65535 to the IP address of the external

MySQL Read Replica.

Ensure that the backup retention period is set long enough that no binary logs are purged during the export. If any of the logs are purged before the export is complete, you must restart replication from the

beginning. For more information about setting the backup retention period, see Working With Automated

Backups (p. 674) .

Use the mysql.rds_set_configuration

stored procedure to set the binary log retention period long

enough that the binary logs are not purged during the export. For more information, see Accessing MySQL

Binary Logs (p. 817)

.

API Version 2014-10-31

230

Amazon Relational Database Service User Guide

Using Replication to Export MySQL Data

To further ensure that the binary logs of the source instance are not purged, create an Amazon RDS

Read Replica from the source instance. For more information, see Creating a Read Replica (p. 653) . After

the Amazon RDS Read Replica has been created, call the mysql.rds_stop_replication

stored procedure to stop the replication process. The source instance will no longer purge its binary log files, so they will be available for the replication process.

Copy the Database

Run the MySQL

SHOW SLAVE STATUS

statement against the MySQL instance running external to Amazon

RDS, and note the master_host, master_port, master_log_file, and exec_master_log_pos values.

Use the mysqldump

utility to create a snapshot, which copies the data from Amazon RDS to your local client computer. Then run another utility to load the data into the MySQL instance running external to

RDS. Ensure your client computer has enough space to hold the mysqldump

files from the databases to be replicated. This process can take several hours for very large databases. Follow the directions in

Creating a Dump Snapshot Using mysqldump .

The following example shows how to run mysqldump

on a client, and then pipe the dump into the mysql client utility, which loads the data into the external MySQL instance.

For Linux, OS X, or Unix: mysqldump -h RDS instance endpoint \

-u user \

-p password \

--port=3306 \

--single-transaction \

--routines \

--triggers \

--databases database database2 \

--compress \

--compact | mysql \

-h MySQL host \

-u master user \

-p password \

--port 3306

For Windows: mysqldump -h RDS instance endpoint ^

-u user ^

-p password ^

--port=3306 ^

--single-transaction ^

--routines ^

--triggers ^

--databases database database2 ^

--compress ^

--compact | mysql ^

-h MySQL host ^

-u master user ^

-p password ^

--port 3306

The following example shows how to run mysqldump

on a client and write the dump to a file.

For Linux, OS X, or Unix:

API Version 2014-10-31

231

Amazon Relational Database Service User Guide

Using Replication to Export MySQL Data

mysqldump -h RDS instance endpoint \

-u user \

-p password \

--port=3306 \

--single-transaction \

--routines \

--triggers \

--databases database database2 > path/rds-dump.sql

For Windows: mysqldump -h RDS instance endpoint ^

-u user ^

-p password ^

--port=3306 ^

--single-transaction ^

--routines ^

--triggers ^

--databases database database2 > path\rds-dump.sql

Complete the Export

After you have loaded the mysqldump

files to create the databases on the MySQL instance running external to Amazon RDS, start replication from the source MySQL DB instance to export all source changes that have occurred after you stopped replication from the Amazon RDS Read Replica.

Use the MySQL

CHANGE MASTER

statement to configure the external MySQL instance. Specify the ID and password of the user granted REPLICATION SLAVE permissions. Specify the master_host, master_port, master_log_file, and exec_master_log_pos values you got from the Mysql

SHOW SLAVE

STATUS

statement you ran on the RDS Read Replica. For more information, go to Setting the Master

Configuration on the Slave .

Use the MySQL

START SLAVE

command to initiate replication from the source MySQL DB instance and the MySQL replica.

Run the MySQL

SHOW SLAVE STATUS

command on the Amazon RDS instance to verify that it is operating as a Read Replica. For more information about interpreting the results, go to SHOW SLAVE STATUS

Syntax .

After replication on the MySQL instance has caught up with the Amazon RDS source, use the MySQL

STOP SLAVE

command to terminate replication from the source MySQL DB instance.

On the Amazon RDS Read Replica, call the mysql.rds_start_replication

stored procedure. This will allow Amazon RDS to start purging the binary log files from the source MySQL DB instance.

API Version 2014-10-31

232

Amazon Relational Database Service User Guide

Appendix: Common DBA Tasks for MySQL

Appendix: Common DBA Tasks for MySQL

This section describes the Amazon RDS-specific implementations of some common DBA tasks for DB instances running the MySQL database engine. In order to deliver a managed service experience, Amazon

RDS does not provide shell access to DB instances, and it restricts access to certain system procedures and tables that require advanced privileges.

For information about working with MySQL log files on Amazon RDS, see

MySQL Database Log

Files (p. 814)

Topics

Killing a Session or Query (p. 233)

Skipping the Current Replication Error (p. 233)

Working with InnoDB Tablespaces to Improve Crash Recovery Times (p. 234)

Managing the Global Status History (p. 235)

Killing a Session or Query

You can terminate user sessions or queries on DB instances by using the rds_kill

and rds_kill_query commands. First connect to your MySQL database instance, then issue the appropriate command as

shown following. For more information, see Connecting to a DB Instance Running the MySQL Database

Engine (p. 197)

.

CALL mysql.rds_kill(thread-ID)

CALL mysql.rds_kill_query(thread-ID)

For example, to kill the session that is running on thread 99, you would type the following:

CALL mysql.rds_kill(99);

To kill the query that is running on thread 99, you would type the following:

CALL mysql.rds_kill_query(99);

Skipping the Current Replication Error

Amazon RDS provides a mechanism for you to skip an error on your Read Replicas if the error is causing your Read Replica to hang and the error doesn’t affect the integrity of your data. First connect to your

MySQL database instance, then issue the appropriate commands as shown following. For more information,

see Connecting to a DB Instance Running the MySQL Database Engine (p. 197) .

Note

You should first verify that the error can be safely skipped. In a MySQL utility, connect to the

Read Replica and run the following MySQL command:

SHOW SLAVE STATUS\G

For information about the values returned, go to SHOW SLAVE STATUS Syntax in the MySQL documentation.

To skip the error, you can issue the following command:

API Version 2014-10-31

233

Amazon Relational Database Service User Guide

Working with InnoDB Tablespaces to Improve Crash

Recovery Times

CALL mysql.rds_skip_repl_error;

This command has no effect if you run it on the source DB instance, or on a Read Replica that has not encountered a replication error.

For more information, such as the versions of MySQL that support mysql.rds_skip_repl_error

, see

mysql.rds_skip_repl_error (p. 248) .

Important

If you attempt to call mysql.rds_skip_repl_error and encounter the following error:

ERROR 1305

(42000): PROCEDURE mysql.rds_skip_repl_error does not exist

, then upgrade your MySQL DB instance to the latest minor version or one of the minimum minor versions listed in

mysql.rds_skip_repl_error (p. 248)

.

Working with InnoDB Tablespaces to Improve

Crash Recovery Times

Every table in MySQL consists of a table definition, data, and indexes. The MySQL storage engine InnoDB stores table data and indexes in a tablespace. InnoDB creates a global shared tablespace that contains a data dictionary and other relevant metadata, and it can contain table data and indexes. InnoDB can also create separate tablespaces for each table and partition. These separate tablespaces are stored in files with a .ibd extension and the header of each tablespace contains a number that uniquely identifies it.

Amazon RDS provides a parameter in a MySQL parameter group called innodb_file_per_table

.

This parameters controls whether InnoDB adds new table data and indexes to the shared tablespace (by setting the parameter value to 0) or to individual tablespaces (by setting the parameter value to 1). Amazon

RDS sets the default value for innodb_file_per_table

parameter to 1, which allows you to drop individual InnoDB tables and reclaim storage used by those tables for the DB instance. In most use cases, setting the innodb_file_per_table

parameter to 1 is the recommended setting.

You should set the innodb_file_per_table

parameter to 0 when you have a large number of tables, such as over 1000 tables when you use standard (magnetic) or general purpose SSD storage or over

10,000 tables when you use Provisioned IOPS storage. When you set this parameter to 0, individual tablespaces are not created and this can improve the time it takes for database crash recovery.

MySQL processes each metadata file, which includes tablespaces, during the crash recovery cycle. The time it takes MySQL to process the metadata information in the shared tablespace is negligible compared to the time it takes to process thousands of tablespace files when there are multiple tablespaces. Because the tablespace number is stored within the header of each file, the aggregate time to read all the tablespace files can take up to several hours. For example, a million InnoDB tablespaces on standard storage can take from five to eight hours to process during a crash recovery cycle. In some cases, InnoDB can determine that it needs additional cleanup after a crash recovery cycle so it will begin another crash recovery cycle, which will extend the recovery time. Keep in mind that a crash recovery cycle also entails rolling-back transactions, fixing broken pages, and other operations in addition to the processing of tablespace information.

Since the innodb_file_per_table

parameter resides in a parameter group, you can change the parameter value by editing the parameter group used by your DB instance without having to reboot the

DB instance. After the setting is changed, for example, from 1 (create individual tables) to 0 (use shared tablespace), new InnoDB tables will be added to the shared tablespace while existing tables continue to have individual tablespaces. To move an InnoDB table to the shared tablespace, you must use the

ALTER

TABLE

command.

API Version 2014-10-31

234

Amazon Relational Database Service User Guide

Managing the Global Status History

Migrating Multiple Tablespaces to the Shared Tablespace

You can move an InnoDB table's metadata from its own tablespace to the shared tablespace, which will rebuild the table metadata according to the innodb_file_per_table

parameter setting. First connect to your MySQL database instance, then issue the appropriate commands as shown following. For more information, see

Connecting to a DB Instance Running the MySQL Database Engine (p. 197)

.

ALTER TABLE

table_name

ENGINE = InnoDB, ALGORITHM=COPY;

For example, the following query returns an

ALTER TABLE

statement for every InnoDB table.

SELECT CONCAT('ALTER TABLE `',

REPLACE(TABLE_SCHEMA, '`', '``'), '`.`',

REPLACE(TABLE_NAME, '`', '``'), '` ENGINE=InnoDB, ALGORITHM=COPY;')

FROM INFORMATION_SCHEMA.TABLES

WHERE TABLE_TYPE = 'BASE TABLE'

AND ENGINE = 'InnoDB' AND TABLE_SCHEMA <> 'mysql';

Rebuilding a MySQL table to move the table's metadata to the shared tablespace requires additional storage space temporarily to rebuild the table, so the DB instance must have storage space available.

During rebuilding, the table is locked and inaccessible to queries. For small tables or tables not frequently accessed, this may not be an issue; for large tables or tables frequently accessed in a heavily concurrent environment, you can rebuild tables on a Read Replica.

You can create a Read Replica and migrate table metadata to the shared tablespace on the Read Replica.

While the ALTER TABLE statement blocks access on the Read Replica, the source DB instance is not affected. The source DB instance will continue to generate its binary logs while the Read Replica lags during the table rebuilding process. Because the rebuilding requires additional storage space and the replay log file can become large, you should create a Read Replica with storage allocated that is larger than the source DB instance.

The following steps should be followed to create a Read Replica and rebuild InnoDB tables to use the shared tablespace:

1. Ensure that backup retention is enabled on the source DB instance so that binary logging is enabled

2. Use the AWS Console or AWS CLI to create a Read Replica for the source DB instance. Since the creation of a Read Replica involves many of the same processes as crash recovery, the creation process may take some time if there are a large number of InnoDB tablespaces. Allocate more storage space on the Read Replica than is currently used on the source DB instance.

3. When the Read Replica has been created, create a parameter group with the parameter settings read_only = 0

and innodb_file_per_table = 0

, and then associate the parameter group with the Read Replica.

4. Issue ALTER TABLE <name> ENGINE = InnoDB against all tables you want migrated on the replica.

5. When all of your ALTER TABLE statements have completed on the Read Replica, verify that the Read

Replica is connected to the source DB instance and that the two instances are in-sync.

6. When ready, use the AWS Console or AWS CLI to promote the Read Replica to be the master instance.

Make sure that the parameter group used for the new master has the innodb_file_per_table parameter set to 0. Change the name of the new master, and point any applications to the new master instance.

Managing the Global Status History

MySQL maintains many status variables that provide information about its operation. Their value can help you detect locking or memory issues on a DB instance . The values of these status variables are

API Version 2014-10-31

235

Amazon Relational Database Service User Guide

Managing the Global Status History

cumulative since last time the DB instance was started. You can reset most status variables to 0 by using the

FLUSH STATUS

command.

To allow for monitoring of these values over time, Amazon RDS provides a set of procedures that will snapshot the values of these status variables over time and write them to a table, along with any changes since the last snapshot. This infrastructure, called Global Status History (GoSH), is installed on all MySQL

DB instances starting with versions 5.1.62 and 5.5.23. GoSH is disabled by default.

To enable GoSH, you first enable the event scheduler from a DB parameter group by setting the parameter event_scheduler to ON. For information about creating and modifying a DB parameter group, see

Working with DB Parameter Groups (p. 724)

.

You can then use the procedures in the following table to enable and configure GoSH. First connect to your MySQL database instance, then issue the appropriate commands as shown following. For more information, see

Connecting to a DB Instance Running the MySQL Database Engine (p. 197)

. For each procedure, type the following:

CALL

procedure-name

;

Where procedure-name is one of the procedures in the table.

Procedure

rds_enable_gsh_collector

Description

Enables GoSH to take default snapshots at intervals specified by rds_set_gsh_collector

.

rds_set_gsh_collector

Specifies the interval, in minutes, between snapshots. Default value is 5.

Disables snapshots.

rds_disable_gsh_collector rds_collect_global_status_history

Takes a snapshot on demand.

rds_enable_gsh_rotation

Enables rotation of the contents of the mysql.global_status_history

table to mysql.global_status_history_old

at intervals specified by rds_set_gsh_rotation

.

rds_set_gsh_rotation rds_disable_gsh_rotation rds_rotate_global_status_history

Specifies the interval, in days, between table rotations. Default value is 7.

Disables table rotation.

Rotates the contents of the mysql.global_status_history

table to mysql.global_status_history_old

on demand.

When GoSH is running, you can query the tables that it writes to. For example, to query the hit ratio of the Innodb buffer pool, you would issue the following query: select a.collection_end, a.collection_start, (( a.variable_Delta-b.vari able_delta)/a.variable_delta)*100 as "HitRatio"

from rds_global_status_history as a join rds_global_status_history as b on

a.collection_end = b.collection_end

where a. variable_name = 'Innodb_buffer_pool_read_requests' and b.vari able_name = 'Innodb_buffer_pool_reads'

API Version 2014-10-31

236

Amazon Relational Database Service User Guide

Appendix: Options for MySQL

Appendix: Options for MySQL Database Engine

This appendix describes options, or additional features, that are available for Amazon RDS instances running the MySQL DB engine. To enable these options, you can add them to a custom option group, and then associate the option group with your DB instance. For more information about working with

option groups, see Working with Option Groups (p. 702)

.

Amazon RDS supports the following options for MySQL:

Option ID

MEMCACHED

MARIADB_AUDIT_PLUGIN

Engine Versions

MySQL 5.6 and later

MySQL 5.6.29 and later

MySQL 5.7.11 and later

MySQL memcached Support

Amazon RDS supports using the memcached

interface to InnoDB tables that was introduced in MySQL

5.6. The memcached

API enables applications to use InnoDB tables in a manner similar to NoSQL key-value data stores.

Important

We recommend that you only use the memcached

interface with MySQL version 5.6.21b or later.

This is because there are a number of bug fixes related to the memcached

interface which are included in the MySQL engine starting with version 5.6.21b. For more information, go to Changes in MySQL 5.6.20 (2014-07-31) and Changes in MySQL 5.6.21 (2014-09-23) in the MySQL documentation.

memcached

is a simple, key-based cache. Applications use memcached

to insert, manipulate, and retrieve key-value data pairs from the cache. MySQL 5.6 introduced a plugin that implements a daemon service that exposes data from InnoDB tables through the memcached

protocol. For more information about the

MySQL memcached

plugin, go to InnoDB Integration with memcached .

You enable memcached

support for an Amazon RDS MySQL 5.6 or later instance by:

1. Determining the security group to use for controlling access to the memcached

interface. If the set of applications already using the SQL interface are the same set that will access the memcached

interface, you can use the existing VPC or DB security group used by the SQL interface. If a different set of applications will access the memcached

interface, define a new VPC or DB security group. For more information about managing security groups, see

Amazon RDS Security Groups (p. 149)

2. Creating a custom DB option group, selecting MySQL as the engine type and a 5.6 or later version.

For more information about creating an option group, see Creating an Option Group (p. 703)

.

3. Adding the

MEMCACHED

option to the option group. Specify the port that the memcached

interface will use, and the security group to use in controlling access to the interface. For more information about adding options, see

Adding an Option to an Option Group (p. 707) .

4. Modifying the option settings to configure the memcached

parameters, if necessary. For more information

about how to modify option settings, see Modifying an Option Setting (p. 715) .

5. Applying the option group to an instance. Amazon RDS enables memcached

support for that instance when the option group is applied:

• You enable memcached

support for a new instance by specifying the custom option group when you launch the instance. For more information about launching a MySQL instance, see

Creating a DB

Instance Running the MySQL Database Engine (p. 188)

.

API Version 2014-10-31

237

Amazon Relational Database Service User Guide

MySQL memcached Support

• You enable memcached

support for an existing instance by specifying the custom option group when you modify the instance. For more information about modifying a MySQL instance, see

Modifying a

DB Instance Running the MySQL Database Engine (p. 200)

.

6. Specifying which columns in your MySQL tables can be accessed through the memcached

interface.

The memcached

plug-in creates a catalog table named containers

in a dedicated database named innodb_memcache

. You insert a row into the containers

table to map an InnoDB table for access through memcached

. You specify a column in the InnoDB table that is used to store the memcached key values, and one or more columns that are used to store the data values associated with the key.

You also specify a name that a memcached

application uses to refer to that set of columns. For details on inserting rows in the containers

table, go to Internals of the InnoDB memcached Plugin . For an example of mapping an InnoDB table and accessing it through memcached

, go to Specifying the Table and Column Mappings for an InnoDB + memcached Application .

7. If the applications accessing the memcached

interface are on different computers or EC2 instances than the applications using the SQL interface, add the connection information for those computers to the VPC or DB security group associated with the MySQL instance. For more information about

managing security groups, see Amazon RDS Security Groups (p. 149) .

You turn off the memcached

support for an instance by modifying the instance and specifying the default option group for your MySQL version. For more information about modifying a MySQL instance, see

Modifying a DB Instance Running the MySQL Database Engine (p. 200)

.

MySQL memcached Security Considerations

The memcached

protocol does not support user authentication. For more information about MySQL memcached

security considerations, go to memcached Deployment and Using memcached as a MySQL

Caching Layer .

You can take the following actions to help increase the security of the memcached

interface:

• Specify a different port than the default of 11211 when adding the

MEMCACHED

option to the option group.

• Ensure that you associate the memcached

interface with either a VPC or DB security group that limits access to known, trusted client addresses or EC2 instances. For more information about managing security groups, see

Amazon RDS Security Groups (p. 149)

.

MySQL memcached Connection Information

To access the memcached

interface, an application must specify both the DNS name of the Amazon RDS instance and the memcached

port number. For example, if an instance has a DNS name of my-cache-instance.cg034hpkmmjt.region.rds.amazonaws.com

and the memcached interface is using port 11212, the connection information specified in PHP would be:

<?php

$cache = new Memcache;

$cache->connect('my-cache-instance.cg034hpkmmjt.region.rds.amazonaws.com',11212);

?>

To find the DNS name and memcached

port of an Amazon RDS MySQL instance

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the top right corner of the AWS Management Console, select the region that contains the DB instance.

API Version 2014-10-31

238

Amazon Relational Database Service User Guide

MySQL memcached Support

3.

In the navigation pane, click Instances.

4.

Select the arrow to the left of name of the DB Instance running the MySQL database engine. In the description display, note the value of the endpoint field. The DNS name is the part of the endpoint up to the semicolon (:). Ignore the semicolon and the port number after the semicolon, that port is not used to access the memcached

interface.

5.

Note the name listed in the Option Group(s) field.

6.

In the navigation pane, click Option Groups.

7.

Select the arrow to the left of the name of the option group used by the MySQL DB instance. In the description display, note the value of the port setting in the MEMCACHED option.

MySQL memcached Option Settings

Amazon RDS exposes the MySQL memcached

parameters as option settings in the Amazon RDS

MEMCACHED

option.

MySQL memcached Parameters

DAEMON_MEMCACHED_R_BATCH_SIZE

- an integer that specifies how many memcached

read operations

(get) to perform before doing a COMMIT to start a new transaction. The allowed values are 1 to

4294967295, the default is 1. The option does not take effect until the instance is restarted.

DAEMON_MEMCACHED_W_BATCH_SIZE

- an integer that specifies how many memcached

write operations, such as add, set, or incr, to perform before doing a COMMIT to start a new transaction. The allowed values are 1 to 4294967295, the default is 1. The option does not take effect until the instance is restarted.

INNODB_API_BK_COMMIT_INTERVAL

- an integer that specifies how often to auto-commit idle connections that use the InnoDB memcached

interface. The allowed values are 1 to 1073741824, the default is 5. The option takes effect immediately, without requiring that you restart the instance.

INNODB_API_DISABLE_ROWLOCK

- a Boolean that disables (1 (true)) or enables (0 (false)) the use of row locks when using the InnoDB memcached

interface. The default is 0 (false). The option does not take effect until the instance is restarted.

INNODB_API_ENABLE_MDL

- a Boolean that when set to 0 (false) locks the table used by the InnoDB memcached

plugin, so that it cannot be dropped or altered by DDL through the SQL interface. The default is 0 (false). The option does not take effect until the instance is restarted.

INNODB_API_TRX_LEVEL

- an integer that specifies the transaction isolation level for queries processed by the memcached

interface. The allowed values are 0 to 3. The default is 0. The option does not take effect until the instance is restarted.

Amazon RDS configures these MySQL memcached

parameters, they cannot be modified:

DAEMON_MEMCACHED_LIB_NAME

,

DAEMON_MEMCACHED_LIB_PATH

, and

INNODB_API_ENABLE_BINLOG

.

The parameters that MySQL administrators set by using

daemon_memcached_options

are available as individual

MEMCACHED

option settings in Amazon RDS.

MySQL

daemon_memcached_options

Parameters

BINDING_PROTOCOL

- a string that specifies the binding protocol to use. The allowed values are auto

, ascii

, or binary

. The default is auto

, which means the server automatically negotiates the protocol with the client. The option does not take effect until the instance is restarted.

BACKLOG_QUEUE_LIMIT

- an integer that specifies how many network connections can be waiting to be processed by memcached

. Increasing this limit may reduce errors received by a client that is not able to connect to the memcached

instance, but does not improve the performance of the server. The allowed values are 1 to 2048, the default is 1024. The option does not take effect until the instance is restarted.

API Version 2014-10-31

239

Amazon Relational Database Service User Guide

MariaDB Audit Plugin Support

CAS_DISABLED

- a Boolean that enables (1 (true)) or disables (0 (false)) the use of compare and swap

(CAS), which reduces the per-item size by 8 bytes. The default is 0 (false). The option does not take effect until the instance is restarted.

CHUNK_SIZE

- an integer that specifies the minimum chunk size, in bytes, to allocate for the smallest item's key, value, and flags. The allowed values are 1 to 48. The default is 48 and you can significantly improve memory efficiency with a lower value. The option does not take effect until the instance is restarted.

CHUNCK_SIZE_GROWTH_FACTOR

- a float that controls the size of new chunks. The size of a new chunk is the size of the previous chunk times

CHUNCK_SIZE_GROWTH_FACTOR

. The allowed values are 1 to

2, the default is 1.25. The option does not take effect until the instance is restarted.

ERROR_ON_MEMORY_EXHAUSTED

- a Boolean, when set to 1 (true) it specifies that memcached

will return an error rather than evicting items when there is no more memory to store items. If set to 0

(false), memcached

will evict items if there is no more memory. The default is 0 (false). The option does not take effect until the instance is restarted.

MAX_SIMULTANEOUS_CONNECTIONS

- an integer that specifies the maximum number of concurrent connections. Setting this value to anything under 10 prevents MySQL from starting. The allowed values are 10 to 1024, the default is 1024. The option does not take effect until the instance is restarted.

VERBOSITY

- an string that specifies the level of information logged in the MySQL error log by the memcached

service. The default is v. The option does not take effect until the instance is restarted.

The allowed values are:

v

- Logs errors and warnings while executing the main event loop.

vv

- In addition to the information logged by v, also logs each client command and the response.

vvv

- In addition to the information logged by vv, also logs internal state transitions.

Amazon RDS configures these MySQL

DAEMON_MEMCAHCED_OPTIONS

parameters, they cannot be modified:

DAEMON_PROCESS

,

LARGE_MEMORY_PAGES

,

MAXIMUM_CORE_FILE_LIMIT

,

MAX_ITEM_SIZE

,

LOCK_DOWN_PAGE_MEMORY

,

MASK

,

IDFILE

,

REQUESTS_PER_EVENT

,

SOCKET

, and

USER

.

MariaDB Audit Plugin Support

Amazon RDS supports using the MariaDB Audit Plugin on MySQL database instances. The MariaDB

Audit Plugin records database activity such as users logging on to the database, queries run against the database, and more. The record of database activity is stored in a log file.

Audit Plugin Option Settings

Amazon RDS supports the following settings for the MariaDB Audit Plugin option.

Option Setting

Valid Values Default Value Description

SERV-

ER_AUDIT_FILE_PATH

/rdsdbdata/log/audit/

/rdsdbdata/log/audit/

The location of the log file. The log file contains the record of the activity specified in

SERV-

ER_AUDIT_EVENTS

. For more information, see

Viewing and Listing Database Log Files (p. 805)

and

MySQL Database Log Files (p. 814) .

SERV-

ER_AUDIT_FILE_SIZE

1–1000000000 None

SERV-

ER_AUDIT_FILE_RO-

TATION

0–100 None

The size in bytes that when reached, causes the file

to rotate. For more information, see Log File

Size (p. 816)

.

The number of log rotations to save. For more inform-

ation, see Log File Size (p. 816)

and

Downloading a

Database Log File (p. 808) .

API Version 2014-10-31

240

Amazon Relational Database Service User Guide

MariaDB Audit Plugin Support

Option Setting

Valid Values

SERV-

ER_AUDIT_EVENTS

CONNECT

,

QUERY

,

TABLE

Default Value Description

CONNECT

,

QUERY

The types of activity to record in the log. Installing the MariaDB Audit Plugin is itself logged.

CONNECT

: Log successful and unsuccessful connections to the database, and disconnections from the database.

QUERY

: Log the text of all queries run against the database.

TABLE

: Log tables affected by queries when the queries are run against the database.

SERV-

ER_AUDIT_IN-

CL_USERS

Multiple comma-separated values

None

SERV-

ER_AUDIT_EX-

CL_USERS

Multiple comma-separated values

None

SERV-

ER_AUDIT_LOG-

GING

ON ON

Include only activity from the specified users. By default, activity is recorded for all users. If a user is specified in both

SERVER_AUDIT_EXCL_USERS

and

SERVER_AUDIT_INCL_USERS

, then activity is recorded for the user.

Exclude activity from the specified users. By default, activity is recorded for all users. If a user is specified in both

SERVER_AUDIT_EXCL_USERS

and

SERV-

ER_AUDIT_INCL_USERS

, then activity is recorded for the user.

The rdsadmin

user queries the database every second to check the health of the database. Depending on your other settings, this activity can possibly cause the size of your log file to grow very large, very quickly. If you don't need to record this activity, add the rdsadmin

user to the

SERVER_AUDIT_EX-

CL_USERS

list.

Logging is active. The only valid value is

ON

. Amazon

RDS does not support deactivating logging. If you want to deactivate logging, remove the MariaDB

Audit Plugin. For more information, see Removing the MariaDB Audit Plugin (p. 242) .

Adding the MariaDB Audit Plugin

The general process for adding the MariaDB Audit Plugin to a DB instance is the following:

• Create a new option group, or copy or modify an existing option group

• Add the option to the option group

• Associate the option group with the DB instance

After you add the MariaDB Audit Plugin, you don't need to restart your DB instance. As soon as the option group is active, auditing begins immediately.

API Version 2014-10-31

241

Amazon Relational Database Service User Guide

MariaDB Audit Plugin Support

To add the MariaDB Audit Plugin

1.

Determine the option group you want to use. You can create a new option group or use an existing option group. If you want to use an existing option group, skip to the next step. Otherwise, create a custom DB option group. Choose mysql for Engine, and choose 5.6, 5.7, or later for Major Engine

Version. For more information, see

Creating an Option Group (p. 703) .

2.

Add the MARIADB_AUDIT_PLUGIN option to the option group, and configure the option settings.

For more information about adding options, see

Adding an Option to an Option Group (p. 707) . For

more information about each setting, see Audit Plugin Option Settings (p. 240) .

3.

Apply the option group to a new or existing DB instance.

• For a new DB instance, you apply the option group when you launch the instance. For more

information, see Creating a DB Instance Running the MySQL Database Engine (p. 188) .

• For an existing DB instance, you apply the option group by modifying the instance and attaching the new option group. For more information, see

Modifying a DB Instance Running the MySQL

Database Engine (p. 200)

.

Viewing and Downloading the MariaDB Audit Plugin Log

After you enable the MariaDB Audit Plugin, you access the results in the log files the same way you access any other text-based log files. The audit log files are located at

/rdsdbdata/log/audit/

. For

information about viewing the log file in the console, see Viewing and Listing Database Log Files (p. 805)

.

For information about downloading the log file, see Downloading a Database Log File (p. 808)

.

Modifying MariaDB Audit Plugin Settings

After you enable the MariaDB Audit Plugin, you can modify the settings. For more information about how

to modify option settings, see Modifying an Option Setting (p. 715) . For more information about each

setting, see Audit Plugin Option Settings (p. 240) .

Removing the MariaDB Audit Plugin

Amazon RDS doesn't support turning off logging in the MariaDB Audit Plugin. However, you can remove the plugin from a DB instance. After you remove the MariaDB Audit Plugin, you need to restart your DB instance to stop auditing.

To remove the MariaDB Audit Plugin from a DB instance, do one of the following:

• Remove the MariaDB Audit Plugin option from the option group it belongs to. This change affects all

DB instances that use the option group. For more information, see Removing an Option from an Option

Group (p. 720)

• Modify the DB instance and specify a different option group that doesn't include the plugin. This change affects a single DB instance. You can specify the default (empty) option group, or a different custom

option group. For more information, see Modifying a DB Instance Running the MySQL Database

Engine (p. 200) .

API Version 2014-10-31

242

Amazon Relational Database Service User Guide

Appendix: MySQL on Amazon RDS SQL Reference

Appendix: MySQL on Amazon RDS SQL

Reference

This appendix describes system stored procedures that are available for Amazon RDS instances running the MySQL DB engine.

Overview

The following system stored procedures are supported for Amazon RDS DB instances running MySQL.

Replication

mysql.rds_set_external_master (p. 244)

mysql.rds_reset_external_master (p. 246)

mysql.rds_start_replication (p. 246)

mysql.rds_stop_replication (p. 247)

mysql.rds_skip_repl_error (p. 248)

mysql.rds_next_master_log (p. 248)

InnoDB cache warming

mysql.rds_innodb_buffer_pool_dump_now (p. 250)

mysql.rds_innodb_buffer_pool_load_now (p. 251)

mysql.rds_innodb_buffer_pool_load_abort (p. 251)

Managing additional configuration (for example, binlog file retention)

mysql.rds_set_configuration (p. 252)

mysql.rds_show_configuration (p. 253)

Terminating a session or query

mysql.rds_kill (p. 253)

mysql.rds_kill_query (p. 254)

Logging

mysql.rds_rotate_general_log (p. 255)

mysql.rds_rotate_slow_log (p. 255)

Managing the global status history

mysql.rds_enable_gsh_collector (p. 256)

mysql.rds_set_gsh_collector (p. 256)

mysql.rds_disable_gsh_collector (p. 257)

mysql.rds_collect_global_status_history (p. 257)

mysql.rds_enable_gsh_rotation (p. 258)

mysql.rds_set_gsh_rotation (p. 258)

API Version 2014-10-31

243

Amazon Relational Database Service User Guide

SQL reference conventions

mysql.rds_disable_gsh_rotation (p. 259)

mysql.rds_rotate_global_status_history (p. 259)

SQL Reference Conventions

This section explains the conventions that are used to describe the syntax of the system stored procedures and tables described in the SQL reference section.

Character

UPPERCASE

[ ]

{ }

|

italics

'

Description

Words in uppercase are keywords.

Square brackets indicate optional arguments.

Braces indicate that you are required to choose one of the arguments inside the braces.

Pipes separate arguments that you can choose.

Words in italics indicate placeholders. You must insert the appropriate value in place of the word in italics.

An ellipsis indicates that you can repeat the preceding element.

Words in single quotes indicate that you must type the quotes.

mysql.rds_set_external_master

Configures a MySQL DB instance to be a Read Replica of an instance of MySQL running external to

Amazon RDS.

Syntax

CALL mysql.rds_set_external_master (

host_name

, host_port

, replication_user_name

, replication_user_password

, mysql_binary_log_file_name

, mysql_binary_log_file_location

, ssl_encryption

);

Parameters

host_name

The host name or IP address of the MySQL instance running external to Amazon RDS that will become the replication master.

host_port

The port used by the MySQL instance running external to Amazon RDS to be configured as the replication master. If your network configuration includes SSH port replication that converts the port number, specify the port number that is exposed by SSH.

API Version 2014-10-31

244

Amazon Relational Database Service User Guide mysql.rds_set_external_master

replication_user_name

The ID of a user with REPLICATION SLAVE permissions in the MySQL DB instance to be configured as the Read Replica.

replication_user_password

The password of the user ID specified in replication_user_name

.

mysql_binary_log_file_name

The name of the binary log on the replication master contains the replication information.

mysql_binary_log_file_location

The location in the mysql_binary_log_file_name

binary log at which replication will start reading the replication information.

ssl_encryption

This option is not currently implemented. The default is 0.

Usage Notes

The mysql.rds_set_external_master

procedure must be run by the master user. It must be run on the MySQL DB instance to be configured as the Read Replica of a MySQL instance running external to

Amazon RDS. Before running mysql.rds_set_external_master

, you must have configured the instance of MySQL running external to Amazon RDS as a replication master. For more information, see

Importing and Exporting Data From a MySQL DB Instance (p. 205)

.

Warning

Do not use mysql.rds_set_external_master

to manage replication between two Amazon

RDS DB instances. Use it only when replicating with an instance of MySQL running external to

RDS. For information about managing replication between Amazon RDS DB instances, see

Working with PostgreSQL, MySQL, and MariaDB Read Replicas (p. 649) .

After calling mysql.rds_set_external_master

to configure an Amazon RDS DB instance as a Read

Replica, you can call mysql.rds_start_replication (p. 246) on the replica to start the replication process.

You can call mysql.rds_reset_external_master (p. 246) to remove the Read Replica configuration.

When mysql.rds_set_external_master

is called, Amazon RDS records the time, user, and an action of "set master" in the mysql.rds_history

and mysql.rds_replication_status

tables.

The mysql.rds_set_external_master

procedure is available in these versions of Amazon RDS

MySQL:

• MySQL 5.5 version 5.5.33 and later

• MySQL 5.6 version 5.6.13 and later

• MySQL 5.7 version 5.7.10 and later

Examples

When run on a MySQL DB instance, the following example configures the DB instance to be a Read

Replica of an instance of MySQL running external to Amazon RDS.

call mysql.rds_set_external_master('Sourcedb.some.com',3306,'Replicatio nUser','SomePassW0rd','mysql-bin-changelog.0777',120,0);

Related Topics

mysql.rds_reset_external_master (p. 246)

mysql.rds_start_replication (p. 246)

API Version 2014-10-31

245

Amazon Relational Database Service User Guide mysql.rds_reset_external_master

mysql.rds_stop_replication (p. 247)

mysql.rds_reset_external_master

Reconfigures a MySQL DB instance to no longer be a Read Replica of an instance of MySQL running external to Amazon RDS.

Syntax

CALL mysql.rds_reset_external_master;

Usage Notes

The mysql.rds_reset_external_master

procedure must be run by the master user. It must be run on the MySQL DB instance to be removed as a Read Replica of a MySQL instance running external to

Amazon RDS.

Warning

Do not use mysql.rds_reset_external_master

to manage replication between two Amazon

RDS DB instances. Use it only when replicating with an instance of MySQL running external to

Amazon RDS. For information about managing replication between Amazon RDS DB instances,

see Working with PostgreSQL, MySQL, and MariaDB Read Replicas (p. 649) .

For more information about using replication to import data from an instance of MySQL running external

to Amazon RDS, see Importing and Exporting Data From a MySQL DB Instance (p. 205) .

The mysql.rds_reset_external_master

procedure is available in these versions of Amazon RDS

MySQL:

• MySQL 5.5 version 5.5.33 and later

• MySQL 5.6 version 5.6.13 and later

• MySQL 5.7 version 5.7.10 and later

Related Topics

mysql.rds_set_external_master (p. 244)

mysql.rds_start_replication (p. 246)

mysql.rds_stop_replication (p. 247)

mysql.rds_start_replication

Initiates replication from a MySQL DB instance.

Syntax

CALL mysql.rds_start_replication;

Usage Notes

The mysql.rds_start_replication

procedure must be run by the master user.

API Version 2014-10-31

246

Amazon Relational Database Service User Guide mysql.rds_stop_replication

If you are configuring replication to import data from an instance of MySQL running external to Amazon

RDS, you call mysql.rds_start_replication

on the replica to start the replication process after you

have called mysql.rds_set_external_master (p. 244) to build the replication configuration. For more

information, see

Importing and Exporting Data From a MySQL DB Instance (p. 205)

.

If you are configuring replication to export data to an instance of MySQL external to Amazon RDS, you call mysql.rds_start_replication

and mysql.rds_stop_replication

on the replica to control some replication actions, such as purging binary logs. For more information, see

Using Replication to

Export MySQL Data (p. 229)

.

You can also call mysql.rds_start_replication

on the replica to restart any replication process

that you previously stopped by calling mysql.rds_stop_replication (p. 247)

. For more information, see

Working with PostgreSQL, MySQL, and MariaDB Read Replicas (p. 649) .

The mysql.rds_start_replication

procedure is available in these versions of Amazon RDS MySQL:

• MySQL 5.5 version 5.5.33 and later

• MySQL 5.6 version 5.6.13 and later

• MySQL 5.7 version 5.7.10 and later

Related Topics

mysql.rds_set_external_master (p. 244)

mysql.rds_reset_external_master (p. 246)

mysql.rds_stop_replication (p. 247)

mysql.rds_stop_replication

Terminates replication from a MySQL DB instance.

Syntax

CALL mysql.rds_stop_replication;

Usage Notes

The mysql.rds_stop_replication

procedure must be run by the master user.

If you are configuring replication to import data from an instance of MySQL running external to Amazon

RDS, you call mysql.rds_stop_replication

on the replica to stop the replication process after the import has completed. For more information, see

Importing and Exporting Data From a MySQL DB

Instance (p. 205)

.

If you are configuring replication to export data to an instance of MySQL external to Amazon RDS, you call mysql.rds_start_replication

and mysql.rds_stop_replication

on the replica to control some replication actions, such as purging binary logs. For more information, see

Using Replication to

Export MySQL Data (p. 229)

.

You can also use mysql.rds_stop_replication

to stop replication between two Amazon RDS DB instances.You typically stop replication to perform a long running operation on the replica, such as creating a large index on the replica. You can restart any replication process that you stopped by calling

mysql.rds_start_replication (p. 246)

on the replica. For more information, see Working with PostgreSQL,

MySQL, and MariaDB Read Replicas (p. 649)

.

API Version 2014-10-31

247

Amazon Relational Database Service User Guide mysql.rds_skip_repl_error

The mysql.rds_stop_replication

procedure is available in these versions of Amazon RDS MySQL:

• MySQL 5.5 version 5.5.33 and later

• MySQL 5.6 version 5.6.13 and later

• MySQL 5.7 version 5.7.10 and later

Related Topics

mysql.rds_set_external_master (p. 244)

mysql.rds_reset_external_master (p. 246)

mysql.rds_start_replication (p. 246)

mysql.rds_skip_repl_error

Skips and deletes a replication error on a MySQL DB instance.

Syntax

CALL mysql.rds_skip_repl_error;

Usage Notes

The mysql.rds_skip_repl_error

must be run by the master user.

Run the MySQL show slave status\G

command to determine if there are errors. If a replication error is not critical, you can elect to use mysql.rds_skip_repl_error

to skip the error. If there are multiple errors, mysql.rds_skip_repl_error

deletes the first error, then warns that others are present. You can then use show slave status\G

to determine the correct course of action for the next error. For information about the values returned, go to SHOW SLAVE STATUS Syntax in the MySQL documentation.

For more information about addressing replication errors with Amazon RDS, see

Troubleshooting a

MySQL or MariaDB Read Replica Problem (p. 661) .

The mysql.rds_skip_repl_error

procedure is available in these versions of Amazon RDS MySQL:

• MySQL 5.1 version 5.1.62 and later.

• MySQL 5.5 version 5.5.23 and later.

• MySQL 5.6 version 5.6.12 and later.

• MySQL 5.7 version 5.7.10 and later

Important

If you attempt to call mysql.rds_skip_repl_error

and encounter the following error:

ERROR

1305 (42000): PROCEDURE mysql.rds_skip_repl_error does not exist

, then upgrade your MySQL DB instance to the latest minor version or one of the minimum minor versions listed in this topic.

mysql.rds_next_master_log

Changes the replication master log position to the start of the next binary log on the master. Use this procedure only if you are receiving replication I/O error 1236 on a Read Replica.

API Version 2014-10-31

248

Amazon Relational Database Service User Guide mysql.rds_next_master_log

Syntax

CALL mysql.rds_next_master_log(

curr_master_log

);

Parameters

curr_master_log

The index of the current master log file. For example, if the current file is named mysql-bin-changelog.012345

, then the index is 12345. To determine the current master log file name, run the

SHOW SLAVE STATUS

command and view the

Master_Log_File

field.

Usage Notes

The mysql.rds_next_master_log

procedure must be run by the master user.

Warning

Call mysql.rds_next_master_log

only if replication fails after a failover of a Multi-AZ DB instance that is the replication source, and the

Last_IO_Errno

field of

SHOW SLAVE STATUS reports I/O error 1236.

Calling mysql.rds_next_master_log

may result in data loss in the Read Replica if transactions in the source instance were not written to the binary log on disk before the failover event occurred.

You can reduce the chance of this happening by configuring the source instance parameters sync_binlog = 1 and innodb_support_xa = 1, although this may reduce performance. For more information, see

Working with PostgreSQL, MySQL, and MariaDB Read Replicas (p. 649) .

The mysql.rds_next_master_log

procedure is available in these versions of Amazon RDS MySQL:

• MySQL 5.1 version 5.1.71 and later

• MySQL 5.5 version 5.5.33 and later

• MySQL 5.6 version 5.6.13 and later

• MySQL 5.7 version 5.7.10 and later

Examples

Assume replication fails on an Amazon RDS Read Replica. Running

SHOW SLAVE STATUS\G

on the replica returns the following result:

*************************** 1. row ***************************

Slave_IO_State:

Master_Host: myhost.XXXXXXXXXXXXXXX.rr-rrrr-1.rds.amazonaws.com

Master_User: MasterUser

Master_Port: 3306

Connect_Retry: 10

Master_Log_File: mysql-bin-changelog.012345

Read_Master_Log_Pos: 1219393

Relay_Log_File: relaylog.012340

Relay_Log_Pos: 30223388

Relay_Master_Log_File: mysql-bin-changelog.012345

Slave_IO_Running: No

Slave_SQL_Running: Yes

API Version 2014-10-31

249

Amazon Relational Database Service User Guide mysql.rds_innodb_buffer_pool_dump_now

Replicate_Do_DB:

Replicate_Ignore_DB:

Replicate_Do_Table:

Replicate_Ignore_Table:

Replicate_Wild_Do_Table:

Replicate_Wild_Ignore_Table:

Last_Errno: 0

Last_Error:

Skip_Counter: 0

Exec_Master_Log_Pos: 30223232

Relay_Log_Space: 5248928866

Until_Condition: None

Until_Log_File:

Until_Log_Pos: 0

Master_SSL_Allowed: No

Master_SSL_CA_File:

Master_SSL_CA_Path:

Master_SSL_Cert:

Master_SSL_Cipher:

Master_SSL_Key:

Seconds_Behind_Master: NULL

Master_SSL_Verify_Server_Cert: No

Last_IO_Errno: 1236

Last_IO_Error: Got fatal error 1236 from master when reading data from binary log: 'Client requested master to start replication from im possible position; the first event 'mysql-bin-changelog.013406' at 1219393, the

last event read from '/rdsdbdata/log/binlog/mysql-bin-changelog.012345' at 4,

the last byte read from '/rdsdbdata/log/binlog/mysql-bin-changelog.012345' at

4.'

Last_SQL_Errno: 0

Last_SQL_Error:

Replicate_Ignore_Server_Ids:

Master_Server_Id: 67285976

The

Last_IO_Errno

field shows that the instance is receiving I/O error 1236. The

Master_Log_File field shows that the file name is mysql-bin-changelog.012345

, which means that the log file index is

12345

. To resolve the error, you can call mysql.rds_next_master_log

with the following parameter:

CALL mysql.rds_next_master_log(12345);

mysql.rds_innodb_buffer_pool_dump_now

Dumps the current state of the buffer pool to disk. For more information, see

InnoDB Cache

Warming (p. 182)

.

Syntax

CALL mysql.rds_innodb_buffer_pool_dump_now();

Usage Notes

The mysql.rds_innodb_buffer_pool_dump_now

procedure must be run by the master user.

API Version 2014-10-31

250

Amazon Relational Database Service User Guide mysql.rds_innodb_buffer_pool_load_now

The mysql.rds_innodb_buffer_pool_dump_now

procedure is available in these versions of Amazon

RDS MySQL:

• MySQL 5.6 version 5.6.19 and later

• MySQL 5.7 version 5.7.10 and later

Related Topics

mysql.rds_innodb_buffer_pool_load_now (p. 251)

mysql.rds_innodb_buffer_pool_load_abort (p. 251)

mysql.rds_innodb_buffer_pool_load_now

Loads the saved state of the buffer pool from disk. For more information, see InnoDB Cache

Warming (p. 182)

.

Syntax

CALL mysql.rds_innodb_buffer_pool_load_now();

Usage Notes

The mysql.rds_innodb_buffer_pool_load_now

procedure must be run by the master user.

The mysql.rds_innodb_buffer_pool_load_now

procedure is available in these versions of Amazon

RDS MySQL:

• MySQL 5.6 version 5.6.19 and later

• MySQL 5.7 version 5.7.10 and later

Related Topics

mysql.rds_innodb_buffer_pool_dump_now (p. 250)

mysql.rds_innodb_buffer_pool_load_abort (p. 251)

mysql.rds_innodb_buffer_pool_load_abort

Cancels a load of the saved buffer pool state while in progress. For more information, see

InnoDB Cache

Warming (p. 182)

.

Syntax

CALL mysql.rds_innodb_buffer_pool_load_abort();

Usage Notes

The mysql.rds_innodb_buffer_pool_load_abort

procedure must be run by the master user.

API Version 2014-10-31

251

Amazon Relational Database Service User Guide mysql.rds_set_configuration

The mysql.rds_innodb_buffer_pool_load_abort

procedure is available in these versions of

Amazon RDS MySQL:

• MySQL 5.6 version 5.6.19 and later

• MySQL 5.7 version 5.7.10 and later

Related Topics

mysql.rds_innodb_buffer_pool_dump_now (p. 250)

mysql.rds_innodb_buffer_pool_load_now (p. 251)

mysql.rds_set_configuration

Specifies the number of hours to retain binary logs.

Syntax

CALL mysql.rds_set_configuration(name,value);

Parameters

name

The name of the configuration parameter to set.

value

The value of the configuration parameter.

Usage Notes

The mysql.rds_set_configuration

procedure currently supports only the binlog retention hours

configuration parameter. The binlog retention hours

parameter is used to specify the number of hours to retain binary log files. Amazon RDS normally purges a binary log as soon as possible, but the binary log might still be required for replication with a MySQL database external to Amazon RDS.

To specify the number of hours for Amazon RDS to retain binary logs on a DB instance, use the mysql.rds_set_configuration

stored procedure and specify a period with enough time for replication to occur, as shown in the following example.

call mysql.rds_set_configuration('binlog retention hours', 24);

After you set the retention period, monitor storage usage for the DB instance to ensure that the retained binary logs don't take up too much storage.

The mysql.rds_set_configuration

is available in these versions of Amazon RDS MySQL:

• MySQL 5.6

• MySQL 5.7

Related Topics

mysql.rds_show_configuration (p. 253)

API Version 2014-10-31

252

Amazon Relational Database Service User Guide mysql.rds_show_configuration

mysql.rds_show_configuration

Displays the number of hours binary logs will be retained.

Syntax

CALL mysql.rds_show_configuration;

Usage Notes

To verify the number of hours Amazon RDS will retain binary logs, use the mysql.rds_show_configuration

stored procedure.

The mysql.rds_show_configuration

procedure is available in these versions of Amazon RDS

MySQL:

• MySQL 5.6

• MySQL 5.7

Related Topics

mysql.rds_set_configuration (p. 252)

Examples

The following example displays the retention period: call mysql.rds_show_configuration;

name value description

binlog retention hours 24 binlog retention hours specifies the duration in hours before binary logs are automatically deleted.

mysql.rds_kill

Terminates a connection to the MySQL server.

Syntax

CALL mysql.rds_kill(processID);

Parameters

processID

The identity of the connection thread that will be terminated.

API Version 2014-10-31

253

Amazon Relational Database Service User Guide mysql.rds_kill_query

Usage Notes

Each connection to the MySQL server runs in a separate thread. To terminate a connection, use the mysql_rds_kill

procedure and pass in the thread ID of that connection. To obtain the thread ID, use the MySQL SHOW PROCESSLIST command.

The mysql.rds_kill

procedure is available in these versions of Amazon RDS MySQL:

• MySQL 5.5

• MySQL 5.6

• MySQL 5.7

Related Topics

mysql.rds_kill_query (p. 254)

Examples

The following example terminates a connection with a thread ID of 4243: call mysql.rds_kill(4243);

mysql.rds_kill_query

Terminates a query running against the MySQL server.

Syntax

CALL mysql.rds_kill_query(queryID);

Parameters

queryID

The identity of the query that will be terminated.

Usage Notes

To terminate a query running against the MySQL server, use the mysql_rds_kill_query

procedure and pass in the ID of that query. To obtain the query ID, use the MySQL INFORMATION_SCHEMA

PROCESSLIST command. The connection to the MySQL server will be retained.

The mysql_rds_kill_query

procedure is available in these versions of Amazon RDS MySQL:

• MySQL 5.5

• MySQL 5.6

• MySQL 5.7

API Version 2014-10-31

254

Amazon Relational Database Service User Guide mysql.rds_rotate_general_log

Related Topics

mysql.rds_kill (p. 253)

Examples

The following example terminates a query with a thread ID of 230040: call mysql.rds_kill_query(230040);

mysql.rds_rotate_general_log

Rotates the mysql.general_log

table to a backup table. For more information, see MySQL Database

Log Files (p. 814)

.

Syntax

CALL mysql.rds_rotate_general_log;

Usage Notes

You can rotate the mysql.general_log

table to a backup table by calling the mysql.rds_rotate_general_log

procedure. When log tables are rotated, the current log table is copied to a backup log table and the entries in the current log table are removed. If a backup log table already exists, then it is deleted before the current log table is copied to the backup. You can query the backup log table if needed. The backup log table for the mysql.general_log

table is named mysql.general_log_backup

.

The mysql.rds_rotate_general_log

procedure is available in these versions of Amazon RDS

MySQL:

• MySQL 5.5

• MySQL 5.6

• MySQL 5.7

Related Topics

mysql.rds_rotate_slow_log (p. 255)

mysql.rds_rotate_slow_log

Rotates the mysql.slow_log

table to a backup table. For more information, see

MySQL Database Log

Files (p. 814)

.

Syntax

CALL mysql.rds_rotate_slow_log;

API Version 2014-10-31

255

Amazon Relational Database Service User Guide mysql.rds_enable_gsh_collector

Usage Notes

You can rotate the mysql.slow_log

table to a backup table by calling the mysql.rds_rotate_slow_log

procedure. When log tables are rotated, the current log table is copied to a backup log table and the entries in the current log table are removed. If a backup log table already exists, then it is deleted before the current log table is copied to the backup.

You can query the backup log table if needed. The backup log table for the mysql.slow_log

table is named mysql.slow_log_backup

.

The mysql.rds_rotate_slow_log

procedure is available in these versions of Amazon RDS MySQL:

• MySQL 5.5

• MySQL 5.6

• MySQL 5.7

Related Topics

mysql.rds_rotate_general_log (p. 255)

mysql.rds_enable_gsh_collector

Enables the Global Status History (GoSH) to take default snapshots at intervals specified by rds_set_gsh_collector

. For more information, see Managing the Global Status History (p. 235) .

Syntax

CALL mysql.rds_enable_gsh_collector;

Related Topics

mysql.rds_set_gsh_collector (p. 256)

mysql.rds_disable_gsh_collector (p. 257)

mysql.rds_collect_global_status_history (p. 257)

mysql.rds_enable_gsh_rotation (p. 258)

mysql.rds_set_gsh_rotation (p. 258)

mysql.rds_disable_gsh_rotation (p. 259)

mysql.rds_rotate_global_status_history (p. 259)

mysql.rds_set_gsh_collector

Specifies the interval, in minutes, between snapshots taken by the Global Status History (GoSH). Default

value is 5. For more information, see Managing the Global Status History (p. 235) .

Syntax

CALL mysql.rds_set_gsh_collector(intervalPeriod);

API Version 2014-10-31

256

Amazon Relational Database Service User Guide mysql.rds_disable_gsh_collector

Parameters

intervalPeriod

The interval, in minutes, between snapshots. Default value is 5.

Related Topics

mysql.rds_enable_gsh_collector (p. 256)

mysql.rds_disable_gsh_collector (p. 257)

mysql.rds_collect_global_status_history (p. 257)

mysql.rds_enable_gsh_rotation (p. 258)

mysql.rds_set_gsh_rotation (p. 258)

mysql.rds_disable_gsh_rotation (p. 259)

mysql.rds_rotate_global_status_history (p. 259)

mysql.rds_disable_gsh_collector

Disables snapshots taken by the Global Status History (GoSH). For more information, see

Managing the

Global Status History (p. 235)

.

Syntax

CALL mysql.rds_disable_gsh_collector;

Related Topics

mysql.rds_enable_gsh_collector (p. 256)

mysql.rds_set_gsh_collector (p. 256)

mysql.rds_collect_global_status_history (p. 257)

mysql.rds_enable_gsh_rotation (p. 258)

mysql.rds_set_gsh_rotation (p. 258)

mysql.rds_disable_gsh_rotation (p. 259)

mysql.rds_rotate_global_status_history (p. 259)

mysql.rds_collect_global_status_history

Takes a snapshot on demand for the Global Status History (GoSH). For more information, see Managing the Global Status History (p. 235)

.

Syntax

CALL rds.collect_global_status_history;

Related Topics

mysql.rds_enable_gsh_collector (p. 256)

API Version 2014-10-31

257

Amazon Relational Database Service User Guide mysql.rds_enable_gsh_rotation

mysql.rds_set_gsh_collector (p. 256)

mysql.rds_disable_gsh_collector (p. 257)

mysql.rds_enable_gsh_rotation (p. 258)

mysql.rds_set_gsh_rotation (p. 258)

mysql.rds_disable_gsh_rotation (p. 259)

mysql.rds_rotate_global_status_history (p. 259)

mysql.rds_enable_gsh_rotation

Enables rotation of the contents of the mysql.global_status_history

table to mysql.global_status_history_old

at intervals specified by rds_set_gsh_rotation

. For more information, see

Managing the Global Status History (p. 235) .

Syntax

CALL mysql.rds_enable_gsh_rotation;

Related Topics

mysql.rds_enable_gsh_collector (p. 256)

mysql.rds_set_gsh_collector (p. 256)

mysql.rds_disable_gsh_collector (p. 257)

mysql.rds_collect_global_status_history (p. 257)

mysql.rds_set_gsh_rotation (p. 258)

mysql.rds_disable_gsh_rotation (p. 259)

mysql.rds_rotate_global_status_history (p. 259)

mysql.rds_set_gsh_rotation

Specifies the interval, in days, between rotations of the mysql.global_status_history

table. Default

value is 7. For more information, see Managing the Global Status History (p. 235) .

Syntax

CALL mysql.rds_set_gsh_rotation(intervalPeriod);

Parameters

intervalPeriod

The interval, in days, between table rotations. Default value is 7.

Related Topics

mysql.rds_enable_gsh_collector (p. 256)

mysql.rds_set_gsh_collector (p. 256)

mysql.rds_disable_gsh_collector (p. 257)

API Version 2014-10-31

258

Amazon Relational Database Service User Guide mysql.rds_disable_gsh_rotation

mysql.rds_collect_global_status_history (p. 257)

mysql.rds_enable_gsh_rotation (p. 258)

mysql.rds_disable_gsh_rotation (p. 259)

mysql.rds_rotate_global_status_history (p. 259)

mysql.rds_disable_gsh_rotation

Disables rotation of the mysql.global_status_history

table. For more information, see

Managing the Global Status History (p. 235)

.

Syntax

CALL mysql.rds_disable_gsh_rotation;

Related Topics

mysql.rds_enable_gsh_collector (p. 256)

mysql.rds_set_gsh_collector (p. 256)

mysql.rds_disable_gsh_collector (p. 257)

mysql.rds_collect_global_status_history (p. 257)

mysql.rds_enable_gsh_rotation (p. 258)

mysql.rds_set_gsh_rotation (p. 258)

mysql.rds_rotate_global_status_history (p. 259)

mysql.rds_rotate_global_status_history

Rotates the contents of the mysql.global_status_history

table to mysql.global_status_history_old

on demand. For more information, see Managing the Global

Status History (p. 235)

.

Syntax

CALL mysql.rds_rotate_global_status_history;

Related Topics

mysql.rds_enable_gsh_collector (p. 256)

mysql.rds_set_gsh_collector (p. 256)

mysql.rds_disable_gsh_collector (p. 257)

mysql.rds_collect_global_status_history (p. 257)

mysql.rds_enable_gsh_rotation (p. 258)

mysql.rds_set_gsh_rotation (p. 258)

mysql.rds_disable_gsh_rotation (p. 259)

API Version 2014-10-31

259

Amazon Relational Database Service User Guide

Oracle on Amazon RDS

Amazon RDS supports DB instances running one of several editions of Oracle Database. You can create

DB instances and DB snapshots, point-in-time restores and automated or manual backups. DB instances running Oracle can be used inside a VPC. You can also enable various options to add additional features to your Oracle DB instance. Amazon RDS currently supports Multi-AZ deployments for Oracle as a high-availability, failover solution. For more information about the supported Oracle versions, see

Appendix:

Oracle Database Engine Release Notes (p. 360)

In order to deliver a managed service experience, Amazon RDS does not provide shell access to DB instances, and it restricts access to certain system procedures and tables that require advanced privileges.

Amazon RDS supports access to databases on a DB instance using any standard SQL client application such as Oracle SQL Plus. Amazon RDS does not allow direct host access to a DB instance via Telnet or Secure Shell (SSH).

When you create a DB instance, the master account that you use to create the instance gets DBA user privileges (with some limitations). Use this account for any administrative tasks such as creating additional user accounts in the database. The SYS user, SYSTEM user, and other administrative accounts are locked and cannot be used.

These are the common management tasks you perform with an Amazon RDS Oracle DB instance, with links to information about each task:

• For planning information, such as Oracle versions, storage engines, security, and features supported

in Amazon RDS, see Planning Your Amazon RDS Oracle DB Instance (p. 261)

.

• Before creating a DB instance, you should complete the steps in the

Setting Up for Amazon RDS (p. 7)

section of this guide.

• If you are creating a DB instance for production purposes, you should understand how instance classes, storage, and Provisioned IOPS work in Amazon RDS. For more information about DB instance classes, see

DB Instance Class (p. 104)

For more information about Amazon RDS storage, see

Amazon RDS

Storage Types (p. 120)

. For more information about Provisioned IOPS, see

Amazon RDS Provisioned

IOPS Storage to Improve Performance (p. 125)

.

• A production DB instance should also use Multi-AZ deployments. All Multi-AZ deployments provide increased availability, data durability, and fault tolerance for DB instances. For more information about

Multi-AZ deployments, see High Availability (Multi-AZ) (p. 112)

.

• There are prerequisites you must complete before you create your DB instance. For example, DB instances are created by default with a firewall that prevents access to it. You therefore must create a security group with the correct IP addresses and network configuration you will use to access the DB instance. The security group you need to create will depend on what EC2 platform your DB instance is on, and whether you will be accessing your DB instance from an EC2 instance. For more information

API Version 2014-10-31

260

Amazon Relational Database Service User Guide

Planning Your Amazon RDS Oracle DB Instance

about the two EC2 platforms supported by Amazon RDS, EC2-VPC and EC2-Classic, see Determining

Whether You Are Using the EC2-VPC or EC2-Classic Platform (p. 155)

. In general, if your DB instance is on the EC2-Classic platform, you will need to create a DB security group; if your DB instance is on the EC2-VPC platform, you will need to create a VPC security group. For more information about security groups, see

Amazon RDS Security Groups (p. 149)

or the Setting Up for Amazon RDS (p. 7)

section of this guide.

• If your AWS account has a default VPC (a default virtual private network), then your DB instance will automatically be created inside the default VPC. If your account does not have a default VPC and you want the DB instance to be inside a VPC, you must create the VPC and subnet groups before you create the DB instance. For more information about determining if your account has a default VPC, see

Determining Whether You Are Using the EC2-VPC or EC2-Classic Platform (p. 155)

. For more information about using VPCs with Amazon RDS, see

Virtual Private Clouds (VPCs) and Amazon

RDS (p. 155)

.

• If your DB instance is going to require specific database parameters or options, you should create the parameter or option groups before you create the DB instance. For more information on parameter

groups, see Working with DB Parameter Groups (p. 724) . For more information on options for Oracle,

see

Appendix: Options for Oracle Database Engine (p. 295) .

• After creating a security group and associating it to a DB instance, you can connect to the DB instance using any standard SQL client application such as Oracle SQL Plus. For more information on connecting to a DB instance, see

Connecting to a DB Instance Running the Oracle Database Engine (p. 280) .

• You can configure your DB instance to take automated backups, or take manual snapshots, and then

restore instances from the backups or snapshots. For information, see Backing Up and Restoring (p. 673)

.

• You can monitor an instance through actions such as viewing the Oracle logs, CloudWatch Amazon

RDS metrics, and events. For information, see Monitoring Amazon RDS (p. 766)

.

There are also several appendices with useful information about working with Oracle DB instances:

• For information on common DBA tasks for Oracle on Amazon RDS, see Appendix: Common DBA

Tasks for Oracle (p. 314) .

• For information on the options that you can use with Oracle on Amazon RDS, see Appendix: Options for Oracle Database Engine (p. 295) .

Planning Your Amazon RDS Oracle DB Instance

Amazon RDS supports DB instances running several editions of Oracle Database. This section shows how you can work with Oracle on Amazon RDS. You should also be aware of the limits for Oracle DB instances.

For information about importing Oracle data into a DB instance, see

Importing Data Into Oracle on Amazon

RDS (p. 288)

.

Topics

DB Instances Class Restrictions for Oracle Databases (p. 262)

Oracle Database Engine Options (p. 262)

Security (p. 269)

Using SSL with an Oracle DB Instance (p. 269)

Oracle Version Management (p. 270)

Licensing (p. 270)

Using OEM, APEX, TDE, and other options (p. 271)

API Version 2014-10-31

261

Amazon Relational Database Service User Guide

DB Instances Class Restrictions for Oracle Databases

DB Instances Class Restrictions for Oracle

Databases

Some instance classes do not work well with Oracle databases because the system resources allocated to the DB instance do not meet the recommended configuration for an Oracle database. For example, the db.t1.micro DB instance class has limited resources and is recommended for testing only. If you choose to use a "micro" DB instance class with Oracle, you should use a db.t2.micro DB instance class.

The "micro" DB instance classes only support certain versions. The following versions are supported:

• The db.t1.micro DB instance class only supports Oracle versions 11.2.0.2, 11.2.0.3, and 12.1.0.1.

• The db.t2.micro DB instance class is recommended for use with Oracle versions 11.2.0.4 and 12.1.0.2.

Oracle Database Engine Options

The following list shows a subset of the key Oracle database engine features that are currently supported by Amazon RDS. The availability of the Oracle feature is dependent on the edition of Oracle that you choose. For example, OEM optional packs such as the Database Diagnostic Pack and the Database

Tuning Pack are only available with Oracle Enterprise Edition.

Oracle 12c with Amazon RDS

Amazon RDS supports Oracle version 12c, such as Oracle version 12.1.0.2.v2. Oracle version 12.1.0.2.v2

is the latest supported version and includes Oracle Enterprise Edition and Oracle Standard Edition Two.

Oracle version 12c brings over 500 new features and updates from the previous version. This section covers the features and changes important to using Oracle 12c on Amazon RDS. For a complete list of the changes, see the Oracle 12c documentation .

Oracle 12c includes sixteen new parameters that impact your Amazon RDS DB instance, as well as eighteen new system privileges, several no longer supported packages, and several new option group settings. The following sections provide more information on these changes.

Amazon RDS Parameter Changes for Oracle 12c

Oracle 12c includes sixteen new parameters in addition to several parameters with new ranges and new default values.

The following table shows the new Amazon RDS parameters for Oracle 12c:

Name

connection_brokers db_big_table_cache_percent_target

Values

CONNEC-

TION_BROKERS = broker_description[,...]

N

Modifiable

Description

Specifies connection broker types, the number of connection brokers of each type, and the maximum number of connections per broker.

db_index_compression_inheritance

TABLESPACE, TABL,

ALL, NONE

0-90

Y

Y

Displays the options that are set for table or tablespace level compression inheritance.

Specifies the cache section target size for automatic big table caching, as a percentage of the buffer cache.

API Version 2014-10-31

262

Amazon Relational Database Service User Guide

Oracle Database Engine Options

Name

heat_map inmemory_clause_default inmemory_clause_default_memcompress

Values

ON,OFF

INMEMORY,NO IN-

MEMORY

NO MEMCOM-

PRESS,MEMCOM-

PRESS FOR

DML,MEMCOMPRESS

FOR QUERY, MEM-

COMPRESS FOR

QUERY LOW,MEM-

COMPRESS FOR

QUERY HIGH,MEM-

COMPRESS FOR CA-

PACITY,MEMCOM-

PRESS FOR CAPA-

CITY LOW,MEMCOM-

PRESS FOR CAPA-

CITY HIGH

Y

Modifiable

Description

Y

Y

Enables the database to track read and write access of all segments, as well as modification of database blocks, due to

DMLs and DDLs.

INMEMORY_CLAUSE_DEFAULT enables you to specify a default In-

Memory Column Store (IM column store) clause for new tables and materialized views.

See INMEMORY_CLAUSE_DEFAULT.

See INMEMORY_CLAUSE_DEFAULT.

inmemory_clause_default_priority

PRIORITY LOW,PRI-

ORITY MEDIUM,PRI-

ORITY HIGH,PRIOR-

ITY CRITICAL,PRIOR-

ITY NONE

Y inmemory_force DEFAULT, OFF Y inmemory_max_populate_servers inmemory_query inmemory_size

Null

ENABLE (default),

DISABLE

0,104857600-

274877906944

N

Y

Y

INMEMORY_FORCE allows you to specify whether tables and materialized view that are specified as INMEMORY are populated into the In-Memory

Column Store (IM column store) or not.

INMEMORY_MAX_POPULATE_SERV-

ERS specifies the maximum number of background populate servers to use for

In-Memory Column Store (IM column store) population, so that these servers do not overload the rest of the system.

INMEMORY_QUERY is used to enable or disable in-memory queries for the entire database at the session or system level.

INMEMORY_SIZE sets the size of the

In-Memory Column Store (IM column store) on a database instance.

API Version 2014-10-31

263

Amazon Relational Database Service User Guide

Oracle Database Engine Options

Name

inmemory_trickle_repopulate_servers_percent max_string_size optimizer_adaptive_features optimizer_adaptive_reporting_only pdb_file_name_convert pga_aggregate_limit processor_group_name spatial_vector_acceleration temp_undo_enabled threaded_execution unified_audit_sga_queue_size use_dedicated_broker

Values

0 to 50

STANDARD (default),

EXTENDED

N

TRUE (default), FALSE Y

TRUE,FALSE (default)

Modifiable

Description

Y INMEMORY_TRICKLE_REPOPU-

LATE_SERVERS_PERCENT limits the maximum number of background populate servers used for In-Memory

Column Store (IM column store) repopulation, as trickle repopulation is designed to use only a small percentage of the populate servers.

Y

N

Controls the maximum size of

VARCHAR2, NVARCHAR2, and RAW.

Enables or disables all of the adaptive optimizer features.

Controls reporting-only mode for adaptive optimizations.

Maps names of existing files to new file names.

1-max of memory Y

TRUE,FALSE

TRUE,FALSE (default)

TRUE,FALSE

1 MB - 30 MB

TRUE,FALSE

N

N

Y

N

Y

N

Specifies a limit on the aggregate PGA memory consumed by the instance.

Instructs the database instance to run itself within the specified operating system processor group.

Enables or disables the spatial vector acceleration, part of spacial option.

Determines whether transactions within a particular session can have a temporary undo log.

Enables the multithreaded Oracle model, but prevents OS authentication.

Specifies the size of SGA queue for unified auditing.

Determines how dedicated servers are spawned.

Several parameter have new value ranges for Oracle 12c on Amazon RDS. The following table shows the old and new value ranges:

Parameter Name

audit_trail compatible

12c Range

os | db [, extended] | xml [, extended]

Starts with 11.0.0

11g Range

os | db [, extended] | xml [, extended] | true | false

Starts with 10.0.0

API Version 2014-10-31

264

Amazon Relational Database Service User Guide

Oracle Database Engine Options

Parameter Name

db_securefile

12c Range

1-100

11g Range

PERMITTED | PREFERRED | ALWAYS

| IGNORE | FORCE

PERMITTED | ALWAYS | IGNORE |

FORCE

1-36 db_writer_processes optimizer_features_enable parallel_degree_policy

8.0.0 to 12.1.0.1

MANUAL,LIMITED,AUTO,ADAPTIVE parallel_min_server

0 to parallel_max_servers

8.0.0 to 11.2.0.1

MANUAL,LIMITED,AUTO

CPU_COUNT * PARAL-

LEL_THREADS_PER_CPU * 2 to parallel_max_servers

One parameters has a new default value for Oracle 12c on Amazon RDS. The following table shows the new default value:

Parameter Name

job_queue_processes

Oracle 12c Default Value

50

Oracle 11g Default Value

1000

Amazon RDS System Privileges for Oracle 12c

Several new system privileges have been granted to the system account for Oracle 12c. These new system privileges include:

• ALTER ANY CUBE BUILD PROCESS

• ALTER ANY MEASURE FOLDER

• ALTER ANY SQL TRANSLATION PROFILE

• CREATE ANY SQL TRANSLATION PROFILE

• CREATE SQL TRANSLATION PROFILE

• DROP ANY SQL TRANSLATION PROFILE

• EM EXPRESS CONNECT

• EXEMPT DDL REDACTION POLICY

• EXEMPT DML REDACTION POLICY

• EXEMPT REDACTION POLICY

• LOGMINING

• REDEFINE ANY TABLE

• SELECT ANY CUBE BUILD PROCESS

• SELECT ANY MEASURE FOLDER

• USE ANY SQL TRANSLATION PROFILE

Amazon RDS Options for Oracle 12c

Several Oracle option changed between Oracle 11g and Oracle 12c, though most of the options remain the same between the two versions. The Oracle 12c changes include:

API Version 2014-10-31

265

Amazon Relational Database Service User Guide

Oracle Database Engine Options

• Oracle Enterprise Manager Express (EM Express) replaced Oracle Enterprise Manager DB Control.

For more information see Oracle Database 12c: EM Database Express .

• The option XMLDB is installed by default in Oracle 12c. It is no longer an option that you need to install.

• The Oracle APEX Listener has been renamed to Oracle Rest Data Service (ORDS). ORDS is installed on a separate EC2 instance just as the APEX Listener was in version 11g. The process for installing

ORDS is not the same as when installing APEX Listener. For instructions on installing ORDS, see

Oracle APEX on Amazon RDS Oracle 12c (p. 299) .

• APEX and APEX Dev no longer have a dependency on XMLDB since XMLDB is installed by default.

Amazon RDS PL/SQL Packages for Oracle 12c

Oracle 12c includes a number of new built-in PL/SQL packages. The packages included with Amazon

RDS Oracle 12c include the following:

Package Name

CTX_ANL

DBMS_APP_CONT

DBMS_AUTO_REPORT

DBMS_GOLDENGATE_AUTH

DBMS_HEAT_MAP

Description

The CTX_ANL package is used with AUTO_LEXER and provides procedures for adding and dropping a custom dictionary from the lexer.

The DBMS_APP_CONT package provides an interface to determine if the in-flight transaction on a now unavailable session committed or not, and if the last call on that session completed or not.

The DBMS_AUTO_REPORT package provides an interface to view

SQL Monitoring and Real-time Automatic Database Diagnostic

Monitor (ADDM) data that has been captured into Automatic Workload

Repository (AWR).

The DBMS_GOLDENGATE_AUTH package provides subprograms for granting privileges to and revoking privileges from GoldenGate administrators.

The DBMS_HEAT_MAP package provides an interface to externalize heatmaps at various levels of storage including block, extent, segment, object and tablespace.

DBMS_ILM

DBMS_ILM_ADMIN

DBMS_PART

The DBMS_ILM package provides an interface for implementing Information Lifecycle Management (ILM) strategies using Automatic

Data Optimization (ADO) policies.

The DBMS_ILM_ADMIN package provides an interface to customize

Automatic Data Optimization (ADO) policy execution.

The DBMS_PART package provides an interface for maintenance and management operations on partitioned objects.

DBMS_PRIVILEGE_CAPTURE The DBMS_PRIVILEGE_CAPTURE package provides an interface to database privilege analysis.

DBMS_QOPATCH

DBMS_REDACT

The DBMS_QOPATCH package provides an interface to view the installed database patches.

The DBMS_REDACT package provides an interface to Oracle Data

Redaction, which enables you to mask (redact) data that is returned from queries issued by low-privileged users or an application.

API Version 2014-10-31

266

Amazon Relational Database Service User Guide

Oracle Database Engine Options

Package Name

DBMS_SPD

DBMS_SQL_TRANSLATOR

DBMS_SQL_MONITOR

DBMS_SYNC_REFRESH

DBMS_TSDP_MANAGE

DBMS_TSDP_PROTECT

DBMS_XDB_CONFIG

DBMS_XDB_CONSTANTS

DBMS_XDB_REPOS

Description

The DBMS_SPD package provides subprograms for managing SQL plan directives (SPD).

The DBMS_SQL_TRANSLATOR package provides an interface for creating, configuring, and using SQL translation profiles.

The DBMS_SQL_MONITOR package provides information about real-time SQL Monitoring and real-time Database Operation Monitoring.

The DBMS_SYNC_REFRESH package provides an interface to perform a synchronous refresh of materialized views.

The DBMS_TSDP_MANAGE package provides an interface to import and manage sensitive columns and sensitive column types in the database, and is used in conjunction with the DBMS_TSDP_PRO-

TECT package with regard to transparent sensitive data protection

(TSDP) policies. DBMS_TSDP_MANAGE is available with the Enterprise Edition only.

The DBMS_TSDP_PROTECT package provides an interface to configure transparent sensitive data protection (TSDP) policies in conjunction with the DBMS_TSDP_MANAGE package. DBMS_TS-

DP_PROTECT is available with the Enterprise Edition only.

The DBMS_XDB_CONFIG package provides an interface for configuring Oracle XML DB and its repository.

The DBMS_XDB_CONSTANTS package provides an interface to commonly used constants. Users should use constants instead of dynamic strings to avoid typographical errors.

The DBMS_XDB_REPOS package provides an interface to operate on the Oracle XML database Repository.

DBMS_XMLSCHEMA_ANNOT-

ATE

The DBMS_XMLSCHEMA_ANNOTATE package provides an interface to manage and configure the structured storage model, mainly through the use of pre-registration schema annotations.

DBMS_XMLSTORAGE_MAN-

AGE

DBMS_XSTREAM_ADM

The DBMS_XMLSTORAGE_MANAGE package provides an interface to manage and modify XML storage after schema registration has been completed.

The DBMS_XSTREAM_ADM package provides interfaces for streaming database changes between an Oracle database and other systems. XStream enables applications to stream out or stream in database changes.

DBMS_XSTREAM_AUTH

UTL_CALL_STACK

The DBMS_XSTREAM_AUTH package provides subprograms for granting privileges to and revoking privileges from XStream administrators.

The UTL_CALL_STACK package provides an interface to provide information about currently executing subprograms.

The following features are not supported for Oracle 12c on Amazon RDS:

• Real Application Clusters (RAC)

API Version 2014-10-31

267

Amazon Relational Database Service User Guide

Oracle Database Engine Options

• Data Guard / Active Data Guard

• Cloud Control (called Oracle Enterprise Manager Grid Control in previous Oracle versions)

• Automated Storage Management

• Database Vault

• Java Support

• Locator

• Oracle Label Security

• Spatial

Several Oracle 11g PL/SQL packages are not supported in Oracle 12c. These packages include:

• DBMS_AUTO_TASK_IMMEDIATE

• DBMS_CDC_PUBLISH

• DBMS_CDC_SUBSCRIBE

• DBMS_EXPFIL

• DBMS_OBFUSCATION_TOOLKIT

• DBMS_RLMGR

• SDO_NET_MEM

Oracle 11g with Amazon RDS

The following list shows the Oracle 11g features supported by Amazon RDS; for a complete list of features supported by each Oracle 11g edition, go to Oracle Database 11g Editions .

• Total Recall

• Flashback Table, Query and Transaction Query

• Virtual Private Database

• Fine-Grained Auditing

• Comprehensive support for Microsoft .NET, OLE DB, and ODBC

• Automatic Memory Management

• Automatic Undo Management

• Advanced Compression

• Partitioning

• Star Query Optimization

• Summary Management - Materialized View Query Rewrite

• Oracle Data Redaction (version 11.2.0.4 or later)

• Distributed Queries/Transactions

• Text

• Materialized Views

• Import/Export and sqlldr Support

• Oracle Enterprise Manager Database Control

• Oracle XML DB (without the XML DB Protocol Server)

• Oracle Application Express

• Automatic Workload Repository for Enterprise Edition (AWR). For more information, see Working with

Automatic Workload Repository (AWR) (p. 324)

• Datapump (network only)

• Native network encryption (part of the Oracle Advanced Security feature)

API Version 2014-10-31

268

Amazon Relational Database Service User Guide

Security

• Transparent data encryption (Oracle TDE, part of the Oracle Advanced Security feature)

Oracle database engine features that are not currently supported include the following:

• Real Application Clusters (RAC)

• Real Application Testing

• Data Guard / Active Data Guard

• Oracle Enterprise Manager Grid Control

• Automated Storage Management

• Database Vault

• Streams

• Java Support

• Locator

• Oracle Label Security

• Spatial

• Oracle XML DB Protocol Server

• Network access utilities such as utl_http, utl_tcp, utl_smtp, and utl_mail, are not supported at this time.

Security

The Oracle database engine uses role-based security. A role is a collection of privileges that can be granted to or revoked from a user. A predefined role, named DBA, normally allows all administrative privileges on an Oracle database engine. The following privileges are not available for the DBA role on an Amazon RDS DB instance using the Oracle engine:

• Alter database

• Alter system

• Create any directory

• Drop any directory

• Grant any privilege

• Grant any role

When you create a DB instance, the master account that you use to create the instance gets DBA user privileges (with some limitations). Use this account for any administrative tasks such as creating IAM user accounts. The SYS user, SYSTEM user, and other administrative accounts are locked and cannot be used.

Amazon RDS Oracle supports SSL/TLS encrypted connections as well as the Oracle Native Network

Encryption (NNE) option to encrypt connections between your application and your Oracle DB instance.

For more information about using SSL with Oracle on Amazon RDS, see Using SSL with an Oracle DB

Instance (p. 269)

. For more information about the Oracle Native Network Encryption option, see Oracle

Native Network Encryption (p. 302) .

Using SSL with an Oracle DB Instance

Secure Sockets Layer (SSL) is an industry standard protocol used for securing network connections between client and server. After SSL version 3.0, the name was changed to Transport Layer Security

(TLS), but it is still often referred to as SSL and we refer to the protocol as SSL. Amazon RDS supports

SSL encryption for Oracle DB instances. Using SSL, you can encrypt a connection between your application client and your Oracle DB instance. SSL support is available in all AWS regions for Oracle.

API Version 2014-10-31

269

Amazon Relational Database Service User Guide

Oracle Version Management

You enable SSL encryption for an Oracle DB instance by adding the Oracle SSL option to the option group associated with the DB instance. Amazon RDS uses a second port, as required by Oracle, for SSL connections which allows both clear text and SSL-encrypted communication to occur at the same time between a DB instance and an Oracle client. For example, you can use the port with clear text communication to communicate with other resources inside a VPC while using the port with SSL-encrypted communication to communicate with resources outside the VPC.

For information about enabling the Oracle SSL option and configuring an Oracle client to use SSL, see

Oracle SSL (p. 308) .

Note

You cannot use both SSL and Oracle native network encryption (NNE) on the same instance.

If you use SSL encryption, you must disable any other connection encryption.

Oracle Version Management

DB Engine Version Management is a feature of Amazon RDS that enables you to control when and how the database engine software running your DB instances is patched and upgraded. This feature gives you the flexibility to maintain compatibility with database engine patch versions, test new patch versions to ensure they work effectively with your application before deploying in production, and perform version upgrades on your own terms and timelines.

Note

Amazon RDS periodically aggregates official Oracle database patches using an Amazon

RDS-specific DB Engine version. To see a list of which Oracle patches are contained in an

Amazon RDS Oracle-specific engine version, go to Appendix: Oracle Database Engine Release

Notes (p. 360)

.

Taking advantage of the DB Engine Version Management feature of Amazon RDS is easily accomplished using the ModifyDBInstance API call or the modify-db-instance AWS command line utility. Your DB instances are upgraded to minor patches by default (you can override this setting).

Licensing

There are two types of licensing options available for using Amazon RDS for Oracle.

Bring Your Own License (BYOL)

In this licensing model, you can use your existing Oracle Database licenses to run Oracle deployments on Amazon RDS. To run a DB instance under the BYOL model, you must have the appropriate Oracle

Database license (with Software Update License and Support) for the DB instance class and Oracle

Database edition you wish to run. You must also follow Oracle's policies for licensing Oracle Database software in the cloud computing environment. For more information on Oracle's licensing policy for Amazon

EC2, go to Licensing Oracle Software in the Cloud Computing Environment .

License Included

In the License Included service model, you do not need separately purchased Oracle licenses; AWS holds the license for the Oracle Database software.

Oracle Licensing and Amazon RDS

Amazon RDS currently supports the following Oracle Database Editions under each of the licensing models below:

• BYOL: Standard Edition Two (SE2), Standard Edition One (SE1), Standard Edition (SE) and Enterprise

Edition (EE)

API Version 2014-10-31

270

Amazon Relational Database Service User Guide

Using OEM, APEX, TDE, and other options

To run a DB instance under the BYOL model, you must have the appropriate Oracle Database license

(with Software Update License & Support) for the DB instance class and Oracle Database edition you wish to run.You must follow Oracle's policies for licensing Oracle Database software in the cloud computing environment. DB instances reside in the Amazon EC2 environment, and Oracle's licensing policy for Amazon EC2 is located here .

Under this model, you will continue to use your active Oracle support account and contact Oracle directly for Oracle Database specific service requests. If you have an active AWS Premium Support account, you can contact AWS Premium Support for Amazon RDS specific issues. Amazon Web

Services and Oracle have multi-vendor support process for cases which require assistance from both organizations.

• License Included: Standard Edition One (SE1)

In the "License Included" service model, you do not need separately purchased Oracle licenses; the

Oracle Database software has been licensed by AWS.

In this model, if you have an active AWS Premium Support account, you should contact AWS Premium

Support for both Amazon RDS and Oracle Database specific service requests.

Using OEM, APEX, TDE, and other options

Most Amazon RDS DB engines support option groups that allow you to select additional features for your

DB instance. Oracle DB instances support several options, including OEM, TDE, APEX, and Native

Network Encryption. For a complete list of supported Oracle options, see

Appendix: Options for Oracle

Database Engine (p. 295)

. For more information about working with option groups, see Working with Option

Groups (p. 702)

.

API Version 2014-10-31

271

Amazon Relational Database Service User Guide

Creating a DB Instance Running Oracle

Creating a DB Instance Running the Oracle

Database Engine

The basic building block of Amazon RDS is the DB instance. This is the environment in which you will use to run your Oracle databases.

Important

You must complete the tasks in the

Setting Up for Amazon RDS (p. 7)

section before you can create or connect to a DB instance.

AWS Management Console

To launch an Oracle DB instance

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the top right corner of the AWS Management Console, select the region in which you want to create the DB instance.

3.

In the navigation pane, click DB Instances.

4.

Click Launch DB Instance to start the Launch DB Instance Wizard.

The wizard opens on the Select Engine page. The Oracle editions available will vary by region.

API Version 2014-10-31

272

Amazon Relational Database Service User Guide

AWS Management Console

5.

In the Select Engine window, click the Select button for the Oracle DB engine you want to use.

6.

The next step asks if you are planning to use the DB instance you are creating for production. If you are, select Yes. By selecting Yes, the failover option Multi-AZ and the Provisioned IOPS storage option will be preselected in the following step. Click Next Step when you are finished.

7.

On the Specify DB Details page, specify your DB instance information. The following table shows the parameters you need to set to create a DB instance. Click Next when you are finished.

For this parameter...

License Model

DB Engine Version

DB Instance Class

...Do this:

Select the license option you want to use. Some regions support additional licensing options for Oracle.

Select the Oracle version you want to use.

Select the DB instance class you want to use. For more information about all the DB instance class options, see

DB Instance Class (p. 104)

.

Multi-AZ Deployment

Allocated Storage

Storage Type

Determine if you want to create a standby replica of your

DB instance in another availability zone for failover support.

This feature is available for Oracle and MySQL DB instances. For more information about multiple availability zones, see

Regions and Availability Zones (p. 111) .

Type a value to allocate of storage for your database (in gigabytes). In some cases, allocating a higher amount of storage for your DB instance than the size of your database can improve I/O performance. For more information about

storage allocation, see Amazon RDS Storage

Types (p. 120) .

Select the storage type you want to use. For more inform-

ation about storage, see Storage for Amazon RDS (p. 120)

.

DB Instance Identifier

Type a name for the DB instance that is unique for your account in the region you selected. You may choose to add some intelligence to the name such as including the region and DB engine you selected, for example

oracleinstance1

.

Master User Name

Type a name that you will use as the master user name to log on to your DB instance with all database privileges.

This user account is used to log into the DB instance and is granted DBA privileges.

Master User Password and Confirm

Password

Type a password that contains from 8 to 30 printable ASCII characters (excluding /,", and @) for your master user password. Retype the password in the Confirm Password text box.

API Version 2014-10-31

273

Amazon Relational Database Service User Guide

AWS Management Console

8.

On the Configure Advanced Settings page, you provide additional information that RDS needs to launch the Oracle DB instance. The following table shows the additional parameters you provide for a DB instance. Specify your DB instance information, then click Launch DB Instance.

For this parameter...

VPC

...Do this:

This setting depends on the platform you are on. If you are a new customer to AWS, select the default VPC. If you are creating a DB instance on the previous E2-Classic platform, select

Not in VPC

. For more information about VPC, see

Amazon RDS and Amazon Virtual Private Cloud

(VPC) (p. 114)

.

API Version 2014-10-31

274

Amazon Relational Database Service User Guide

AWS Management Console

For this parameter...

DB Subnet Group

Publicly Accessible

Availability Zone

VPC Security Group

Database Name

Database Port

Parameter Group

Option Group

Enable Encryption

Character Set Name

Backup Retention Period

Backup Window

...Do this:

This setting depends on the platform you are on. If you are a new customer to AWS, select

default

, which will be the default DB subnet group that was created for your account. If you are creating a DB instance on the previous

E2-Classic platform and you want your DB instance in a specific VPC, select the DB subnet group you created for

that VPC. For more information about VPC, see Amazon

RDS and Amazon Virtual Private Cloud (VPC) (p. 114) .

Select

Yes

to give the DB instance a public IP address, meaning that it will be accessible outside the VPC (the DB instance also needs to be in a public subnet in the VPC); otherwise, select

No

, so the DB instance will only be accessible from inside the VPC. For more information about hiding DB instances from public access, see

Hiding a DB

Instance in a VPC from the Internet (p. 166) .

Use the default of

No Preference

unless you need to specify a particular Availability Zone.

If you are a new customer to AWS, select the default VPC.

If you have created your own VPC security group, select the VPC security group you previously created.

Type a name for your database that begins with a letter and contains up to 8 alpha-numeric characters. If you do not provide a name, Amazon RDS will not create a database on the DB instance you are creating.

Specify the port you want to access the database through.

Oracle installations default to port 1521.

Select a parameter group. You can choose the default parameter group or you can create a parameter group and select that parameter group. For more information about parameter groups, see

Working with DB Parameter

Groups (p. 724) .

Select an option group. You can choose the default option group or you can create an option group and select that option group. For more information about option groups, see

Working with Option Groups (p. 702)

.

Select

Yes

to enable encryption at rest for this DB instance.

For more information, see

Encrypting Amazon RDS Resources (p. 145) .

Select a character set for your DB instance. The default value of

AL32UTF8

is for the Unicode 5.0 UTF-8 Universal character set. Note that you cannot change the character set after the DB instance is created.

Set the number of days you want automatic backups of your database to be retained. For any non-trivial instance, you should set this value to

1

or greater.

Unless you have a specific time that you want to have your database backup, use the default of

No Preference

.

API Version 2014-10-31

275

Amazon Relational Database Service User Guide

AWS Management Console

For this parameter...

Auto Minor Version Upgrade

Maintenance Window

...Do this:

Select

Yes

to enable your DB instance to receive minor

DB engine version upgrades automatically when they become available.

Select the 30 minute window in which pending modifications to your DB instance are applied. If you the time period doesn't matter, select

No Preference

.

API Version 2014-10-31

276

Amazon Relational Database Service User Guide

CLI

9.

On the final page of the wizard, click Close.

10. On the RDS console, the new DB instance appears in the list of DB instances. The DB instance will have a status of creating until the DB instance is created and ready for use. When the state changes to available, you can connect to the DB instance. Depending on the DB instance class and storage allocated, it could take several minutes for the new instance to be available.

CLI

To create an Oracle DB instance, use the AWS CLI

create-db-instance

command. Include the following required parameters.

--db-instance-identifier

--engine

API Version 2014-10-31

277

Amazon Relational Database Service User Guide

API

Example

The following command will launch the example DB instance.

For Linux, OS X, or Unix: aws rds create-db-instance \

--db-instance-identifier

mydbinstance

\

--allocated-storage

20

\

--db-instance-class

db.m1.small

\

--engine

oracle-se1

\

--master-username

masterawsuser

\

--master-user-password

masteruserpassword

\

--backup-retention-period

3

For Windows: aws rds create-db-instance ^

--db-instance-identifier

mydbinstance

^

--allocated-storage

20

^

--db-instance-class

db.m1.small

^

--engine

oracle-se1

^

--master-username

masterawsuser

^

--master-user-password

masteruserpassword

^

--backup-retention-period

3

This command should produce output similar to the following:

DBINSTANCE mydbinstance db.m1.small oracle-se1 20 sa creating 3 **** n 11.2.0.3.v1

SECGROUP default active

PARAMGRP default.oracle-se1-11.2 in-sync

API

To create an Oracle DB instance, use the AWS CLI

create-db-instance

command. Include the following parameters.

DBInstanceIdentifier

=

mydbinstance

Engine

=

oracle-se1

DBInstanceClass

=

db.m1.small

AllocatedStorage

=

20

BackupRetentionPeriod

=

3

MasterUsername

=

masterawsuser

MasterUserPassword

=

masteruserpassword

API Version 2014-10-31

278

Amazon Relational Database Service User Guide

Related Topics

Example

https://rds.amazonaws.com/

?Action=CreateDBInstance

&AllocatedStorage=20

&BackupRetentionPeriod=3

&DBInstanceClass=db.m1.small

&DBInstanceIdentifier=mydbinstance

&DBName=mydatabase

&DBSecurityGroups.member.1=mysecuritygroup

&DBSubnetGroup=mydbsubnetgroup

&Engine=oracle-se1

&MasterUserPassword=<masteruserpassword>

&MasterUsername=<masterawsuser>

&SignatureMethod=HmacSHA256

&SignatureVersion=4

&Version=2013-09-09

&X-Amz-Algorithm=AWS4-HMAC-SHA256

&X-Amz-Credential=AKIADQKE4SARGYLE/20140202/us-west-2/rds/aws4_request

&X-Amz-Date=20140202T190545Z

&X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;xamz-date

&X-Amz-Signa ture=60e907d8d43fdc978941c1566f7b3c5054e0328622a871fb59b61782ee1f30d8

Related Topics

Amazon RDS DB Instances (p. 103)

Amazon RDS Security Groups (p. 149)

DB Instance Class (p. 104)

Deleting a DB Instance (p. 635)

API Version 2014-10-31

279

Amazon Relational Database Service User Guide

Connecting to a DB Instance Running Oracle

Connecting to a DB Instance Running the Oracle

Database Engine

Once Amazon RDS provisions your DB instance, you can use any standard SQL client application to connect to the instance. In this example, you connect to a DB instance running the Oracle database engine using the Oracle command line tools. For more information on using Oracle, go to the Oracle website .

Note

This example uses the Oracle sqlplus command line utility. This utility is part of the Oracle software distribution. To download a stand-alone version of this utility, go to the SQL*Plus User's

Guide and Reference .

Console

Once Amazon RDS provisions your DB instance, you can use any standard SQL client application to connect to the instance. In this example, you connect to a DB instance running the Oracle database engine using the Oracle command line tools. For more information on using Oracle, go to the Oracle website .

This example uses the Oracle sqlplus command line utility. This utility is part of the Oracle software distribution. To download a stand-alone version of this utility, go to the SQL*Plus User's Guide and

Reference .

To connect to an Oracle DB instance with Information from the RDS Console

1.

Open the RDS console, then select Instances in the left column to display a list of your DB instances.

2.

In the row for your Oracle DB instance, select the arrow to display the summary information for the instance.

3.

The Endpoint field contains part of the connection information for your DB instance. The Endpoint field has two parts separated by a colon (:). The part before the colon is the DNS name for the instance, the part following the colon is the port.

API Version 2014-10-31

280

Amazon Relational Database Service User Guide

Console

To connect to a DB Instance using sqlplus

You can use a utility like sqlplus to connect to an Amazon RDS DB instance running Oracle.

To connect to an Oracle DB instance using sqlplus

• Type the following command on one line at a command prompt to connect to a DB instance using the sqlplus utility. Substitute the DNS name for your DB instance, then include the port and the Oracle

SID. The SID value is the name of the instance's database that you specified when you created the

DB instance, not the name of the DB instance. When using sqlplus from a Windows command line, do not use the single quotes.

sqlplus '[email protected](DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<dns name of db

instance>)

(PORT=<listener port>))(CONNECT_DATA=(SID=<database name>)))'

API Version 2014-10-31

281

Amazon Relational Database Service User Guide

CLI

You will see output similar to the following.

SQL*Plus: Release 11.1.0.7.0 - Production on Wed May 25 15:13:59 2011 SQL>

Note

The shorter format connection string (Easy connect or EZCONNECT), such as

PROMPT>sqlplus

USER/[email protected]:1521/DATABASE_IDENTIFIER

, may encounter a maximum character limit and should not be used to connect.

CLI

To connect to a DB Instance using the AWS CLI

• Find the DNS name for your DB instance using the AWS CLI describe-db-instances command below, or use the Amazon RDS console to find the necessary connection information.

aws rds describe-db-instances --headers

You will see output similar to the following:

DBINSTANCE DBInstanceId Created Class Engine

Storage

Master Username Status Endpoint Address

Port AZ Backup Retention Multi-AZ Version Read Replica

Source

ID License

DBINSTANCE oracledb 2011-05-14T01:11:01.727Z db.m1.small oracle-ee

20

mydbusr available oracledb.mydnsnameexample.rds.amazonaws

.com 1521 us-east-1a 1 n 11.2.0.2.v3

bring-your-own-license

Related Topics

Amazon RDS DB Instances (p. 103)

Creating a DB Instance Running the MySQL Database Engine (p. 188)

Amazon RDS Security Groups (p. 149)

Deleting a DB Instance (p. 635)

API Version 2014-10-31

282

Amazon Relational Database Service User Guide

Modifying a DB Instance Running Oracle

Modifying a DB Instance Running the Oracle

Database Engine

You can change the settings of a DB instance to accomplish tasks such as adding additional storage or changing the DB instance class. This topic guides you through modifying an Amazon RDS Oracle DB instance, and describes the settings for Oracle instances. For information about additional tasks, such

as renaming, rebooting, deleting, tagging, or upgrading an Amazon RDS DB instance, see Amazon RDS

DB Instance Lifecycle (p. 611)

.

Before you upgrade your production DB instances to a new Oracle Database version, we recommend you test the upgrade process on a test instance to verify its duration and to validate your applications.

We do not recommend upgrading micro DB instances because they have limited CPU resources and the upgrade process may take hours to complete. An alternative to upgrading micro DB instances with small storage (10-20 GB) would be to copy your data using Data Pump, where we also recommend testing before migrating your production instances.

You can have the changes apply immediately or have them applied during the DB instance's next maintenance window. Applying changes immediately can cause an outage in some cases; for more information on the impact of the Apply Immediately option when modifying a DB instance, see

Modifying a DB Instance and Using the Apply Immediately Parameter (p. 630) .

AWS Management Console

To modify an Oracle DB instance

1.

Sign in to the AWS Management Console and open the Amazon RDS console at https:// console.aws.amazon.com/rds/ .

2.

In the navigation pane, click DB Instances.

3.

Select the check box for the DB instance that you want to change, and then click Modify.

4.

In the Modify DB Instance dialog box, change any of the following settings that you want:

Setting

Instance Specifications

DB Engine Version

Description

DB Instance Class

Multi-AZ Deployment

In the list provided, click the version of the Oracle database engine that you want to use. Before you upgrade your production database instances, we recommend you test the upgrade process on a test instance to verify its duration and to validate your applications. We do not recommend upgrading micro DB instances because they have limited

CPU resources and the upgrade process may take hours to complete. An alternative to upgrade micro DB instances with small storage (10-20 GB) would be to copy your data using Data Pump, where we also recommend testing before migrating your production instances.

In the list provided, click the DB instance class that you want to use. For information about instance classes, see

DB Instance Class (p. 104)

.

If you want to deploy your DB instance in multiple Availability Zones, click Yes; otherwise, click No.

API Version 2014-10-31

283

Setting

Storage Type

Amazon Relational Database Service User Guide

AWS Management Console

Allocated Storage

Description

Select the storage type you want to use. Changing from

Magnetic to General Purpose (SSD) or Provisioned

IOPS (SSD) will result in an outage. Also, changing from

Provisioned IOPS (SSD) or General Purpose (SSD) to

Magnetic will result in an outage. For more information

about storage, see Storage for Amazon RDS (p. 120)

.

Specify how much storage, in gigabytes, will be initially allocated for your DB instance. The minimum allowable value is 10 GB; the maximum is 6 TB.

Settings

DB Instance Identifier

New Master Password

Network and Security

Security Group

You can rename the DB instance by typing a new name.

When you change the DB instance identifier, an instance reboot will occur immediately if you set

Apply Immediately

to true, or will occur during the next maintenance window if you set

Apply Immediately

to false. This value is stored as a lowercase string.

Type a password for your master user. The password must contain from 8 to 30 alphanumeric characters.

Certificate Authority

Publicly Accessible

Select the security group you want associated with the DB instance. For more information about security groups, see

Working with DB Security Groups (p. 740)

.

Select the certificate you want to use.

Choose

Yes

to give the DB instance a public IP address, meaning that it will be accessible outside the VPC (the DB instance also needs to be in a public subnet in the VPC); otherwise, choose

No

, so the DB instance will only be accessible from inside the VPC. For more information about hiding DB instances from public access, see

Hiding a DB

Instance in a VPC from the Internet (p. 166) .

Database Options

Parameter Group

Option Group

Copy Tags to Snapshots

Select the parameter group you want associated with the

DB instance. Changing this setting does not result in an outage. The parameter group name itself is changed immediately, but the actual parameter changes are not applied until you reboot the instance without failover. The DB instance will NOT be rebooted automatically and the parameter changes will NOT be applied during the next maintenance window. For more information about parameter

groups, see Working with DB Parameter Groups (p. 724) .

Select the option group you want associated with the DB instance. For more information about option groups, see

Working with Option Groups (p. 702) .

Select this option to have any DB instance tags copied to a DB snapshot when you create a snapshot.

API Version 2014-10-31

284

Amazon Relational Database Service User Guide

CLI

Setting

Database Port

Description

Specify a new port you want to use to access the database.

The port value must not match any of the port values specified for options in the option group for the DB instance.

Your database will restart when you change the database port regardless of whether Apply Immediately is checked.

Backup

Backup Retention Period

Backup Window

Auto Minor Version Upgrade

Maintenance Window

Specify the number of days that automatic backups will be retained. To disable automatic backups, set this value to

0.

Note

An immediate outage will occur if you change the backup retention period from 0 to a non-zero value or from a non-zero value to 0.

Set the time range during which automated backups of your databases will occur. Specify a start time in Universal

Coordinated Time (UTC) and a duration in hours.

If you want your DB instance to receive minor engine version upgrades automatically when they become available, click Yes. Upgrades are installed only during your scheduled maintenance window.

Set the time range during which system maintenance, including upgrades, will occur. Specify a start time in UTC and a duration in hours.

5.

To apply the changes immediately, select the Apply Immediately check box. Selecting this option can cause an outage in some cases; for more information on the impact of the Apply Immediately option, see

Modifying a DB Instance and Using the Apply Immediately Parameter (p. 630) .

6.

When all the changes are as you want them, click Yes, Modify. If instead you want to cancel any changes that you didn't apply in the previous step, click Cancel.

CLI

To modify an Oracle DB instance, use the AWS CLI command

modify-db-instance

.

API Version 2014-10-31

285

Amazon Relational Database Service User Guide

API

Example

The following code modifies mysqldb

by setting the backup retention period to 1 week (7 days) and disabling automatic minor version upgrades. These changes are applied during the next maintenance window.

Parameters

--db-instance-identifier

—the name of the db instance

--backup-retention-period

—the number of days to retain automatic backups.

--no-auto-minor-version-upgrade

—disallow automatic minor version upgrades. To allow automatic minor version upgrades, use

--auto-minor-version-upgrade

.

--no-apply-immediately

—apply changes during the next maintenance window. To apply changes immediately, use

--apply-immediately

.

For Linux, OS X, or Unix: aws rds modify-db-instance \

--db-instance-identifier

mysqldb

\

--backup-retention-period

7

\

--no-auto-minor-version-upgrade

\

--no-apply-immediately

For Windows: aws rds modify-db-instance ^

--db-instance-identifier

mysqldb

^

--backup-retention-period

7

^

--no-auto-minor-version-upgrade

^

--no-apply-immediately

API

To modify an Oracle DB instance, use the

ModifyDBInstance action

.

API Version 2014-10-31

286

Amazon Relational Database Service User Guide

API

Example

The following code modifies mysqldb

by setting the backup retention period to 1 week (7 days) and disabling automatic minor version upgrades. These changes are applied during the next maintenance window.

Parameters

DBInstanceIdentifier

—the name of the db instance

BackupRetentionPeriod

—the number of days to retain automatic backups.

AutoMinorVersionUpgrade

= false

—disallow automatic minor version upgrades. To allow automatic minor version upgrades, set the value to true

.

ApplyImmediately

= false

—apply changes during the next maintenance window. To apply changes immediately, set the value to true

.

https://rds.us-east-1.amazonaws.com/

?Action=ModifyDBInstance

&ApplyImmediately=false

&AutoMinorVersionUpgrade=false

&BackupRetentionPeriod=7

&DBInstanceIdentifier=mydbinstance

&SignatureMethod=HmacSHA256

&SignatureVersion=4

&Version=2013-09-09

&X-Amz-Algorithm=AWS4-HMAC-SHA256

&X-Amz-Credential=AKIADQKE4SARGYLE/20131016/us-east-1/rds/aws4_request

&X-Amz-Date=20131016T233051Z

&X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;xamz-date

&X-Amz-Signa ture=087a8eb41cb1ab0fc9ec1575f23e73757ffc6a1e42d7d2b30b9cc0be988cff97

API Version 2014-10-31

287

Amazon Relational Database Service User Guide

Importing Data Into Oracle on Amazon RDS

Importing Data Into Oracle on Amazon RDS

How you import data into an Amazon RDS DB instance depends on the amount of data you have and the number and variety of database objects in your database. For example, you can use Oracle SQL

Developer to import a simple, 20 MB database; you want to use Oracle Data Pump to import complex databases or databases that are several hundred megabytes or several terabytes in size.

Before you use any of these migration techniques, we recommend the best practice of taking a backup of your database. You can back up your Amazon RDS instances by creating snapshots. Later, you can restore the database from the snapshots using the Restore from DB Snapshot or Restore to Point In Time options on the RDS tab of the AWS Management Console. You can also use the AWS CLI methods restore-db-instance-from-db-snapshot

or restore-db-instance-to-point-in-time

.These

and other best practices are addressed in this section.

Oracle SQL Developer

For small databases, you can use Oracle SQL Developer, a graphical Java tool distributed without cost by Oracle. You can install this tool on your desktop computer (Windows, Linux, or Mac) or on one of your servers. Oracle SQL Developer provides options for migrating data between two Oracle databases, or for migrating data from other databases, such as MySQL, to Oracle. Oracle SQL Developer is best suited for migrating small databases. We recommend that you read the Oracle SQL Developer product documentation before you begin migrating your data.

After you install SQL Developer, you can use it to connect to your source and target databases. Use the

Database Copy command on the Tools menu to copy your data to your Amazon RDS instance.

To download Oracle SQL Developer, go to http://www.oracle.com/technetwork/developer-tools/sql-developer .

Oracle also has documentation on how to migrate from other databases, including MySQL and SQL

Server. To learn more, go to http://www.oracle.com/technetwork/database/migration .

Oracle Data Pump

Oracle Data Pump is a long-term replacement for the Oracle Export/Import utilities and is the preferred way to move large amounts of data from an Oracle installation to an Amazon RDS DB instance. You can use Oracle Data Pump for several scenarios:

• Import data from an Amazon EC2 instance with an Oracle database to an Oracle DB instance

• Import data from a database on an Oracle DB instance to another Oracle DB instance

• Import data from a database on an Oracle DB instance in a VPC to another Oracle DB instance with or without a VPC

• Import data from a local Oracle database to an Amazon RDS DB instance

The following process uses Oracle Data Pump and the DBMS_FILE_TRANSFER package. The process connects to an Oracle instance and exports data using Oracle Data Pump. It then uses the

DBMS_FILE_TRANSFER.PUT_FILE method to copy the dump file from the Oracle instance to the

DATA_PUMP_DIR on the target DB instance that is connected via a database link. The final step imports the data from the copied dump file into the RDS instance.

The process has the following requirements:

• You must have execute privileges on the DBMS_FILE_TRANSFER package

• The target DB instance must be version 11.2.0.2.v6 or later

API Version 2014-10-31

288

Amazon Relational Database Service User Guide

Oracle Data Pump

• You must have write privileges to the DATA_PUMP_DIR directory on the source DB instance

• You must ensure that you have enough storage space to store the dump file on the source instance and the target DB instance

Note

This process imports a dump file into the DATA_PUMP_DIR directory, a preconfigured directory on all Oracle DB instances. This directory is located on the same storage volume as your data files. When you import the dump file, the existing Oracle data files will use more space, so you should make sure that your DB instance can accommodate that additional use of space as well.

Note that the imported dump file is not automatically deleted or purged from the DATA_PUMP_DIR directory. Use UTL_FILE.FREMOVE to remove the imported dump file.

The import process using Oracle Data Pump and the DBMS_FILE_TRANSFER package has the following steps:

• Step 1: Grant privileges to user on source database

• Step 2: Use DBMS_DATAPUMP to create a dump file

• Step 3: Create a database link to the target DB instance

• Step 4: Use DBMS_FILE_TRANSFER to copy the exported dump file to the Amazon RDS instance

• Step 5: Import the dump file into a database on the Amazon RDS instance

• Step 6: Clean up

Step 1: Grant privileges to user on source database

Use SQL Plus or Oracle SQL Developer to connect to the Oracle instance that contains the data to be imported. If necessary, create a user account and grant the necessary permissions.

The following commands create a new user and grant the necessary permissions:

SQL> create user USER1 identified by test123;

SQL> grant create session, create table to USER1;

SQL> alter user USER1 quota 100M on users;

SQL> grant read, write on directory data_pump_dir to USER1;

SQL> grant execute on dbms_datapump to USER1;

You can use your own table, or you can create one to test the process. The following commands create a sample table for importing into a DB instance:

SQL> create table USER1.tab1

tablespace users as select 'USER1_'||object_name str_col, sysdate dt_col from all_objects;

Step 2: Use DBMS_DATAPUMP to create a dump file

Use SQL Plus or Oracle SQL Developer to connect to the Oracle instance and use the Oracle Data Pump utility to create a dump file. The following script creates a dump file named tab1.dmp in the

DATA_PUMP_DIR directory.

DECLARE hdnl NUMBER;

BEGIN hdnl := DBMS_DATAPUMP.open( operation => 'EXPORT', job_mode => 'SCHEMA',

API Version 2014-10-31

289

Amazon Relational Database Service User Guide

Oracle Data Pump

job_name=>null);

DBMS_DATAPUMP.ADD_FILE( handle => hdnl, filename => 'tab1.dmp', directory =>

'DATA_PUMP_DIR', filetype => dbms_datapump.ku$_file_type_dump_file);

DBMS_DATAPUMP.add_file( handle => hdnl, filename => 'exp.log', directory =>

'DATA_PUMP_DIR', filetype => dbms_datapump.ku$_file_type_log_file);

DBMS_DATAPUMP.METADATA_FILTER(hdnl,'SCHEMA_EXPR','IN (''USER1'')');

DBMS_DATAPUMP.start_job(hdnl);

END;

/

Step 3: Create a database link to the target DB instance

Next, create a database link between your source instance and your target DB instance. Note that your local Oracle instance must have network connectivity to the DB instance in order to create a database link and to transfer your export file.

The following command creates a database link named to_rds to another user at the target DB instance database:

Note

If you are creating a database link between two DB instances inside a VPC, the two DB instances must be either in the same VPC, be in VPCs that have an established VPC peering connection, or you must create an EC2 or VPC security group that both DB instances are a member of.

create database link to_rds connect to USER2 identified by user2pwd using '(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<dns or ip address of remote db>)(PORT=<listener port>))(CONNECT_DATA=(SID=<remoteSID>)))';

Step 4: Use DBMS_FILE_TRANSFER to copy the exported dump file to an Amazon RDS DB instance

Next, use DBMS_FILE_TRANSFER to copy the dump file from the source database instance to the target

DB instance. The following script copies a dump file named tab1.dmp from the source instance to a target database link named to_rds (created in the previous step):

BEGIN

DBMS_FILE_TRANSFER.PUT_FILE(

source_directory_object => 'DATA_PUMP_DIR',

source_file_name => 'tab1.dmp',

destination_directory_object => 'DATA_PUMP_DIR',

destination_file_name => 'tab1_copied.dmp',

destination_database => 'to_rds'

);

END;

/

Step 5: Create the Necessary Tablespace on the Target

Instance

You must create the tablespace before you can import the data. See the topic

Creating and Resizing

Tablespaces and Data Files (p. 321)

for more information about creating tablespaces.

API Version 2014-10-31

290

Amazon Relational Database Service User Guide

Oracle Export/Import Utilities

Step 6: Use Data Pump to import the data file on the DB instance

Use Oracle Data Pump to import the schema in the DB instance. The first part of the listing shows the format for the data import statement, and the second part shows importing a data file called

tab1_copied.dmp. Note that additional options such as REMAP_TABLESPACE might be required.

impdp <username>@<TNS_ENTRY> DUMPFILE=user1copied.dmp DIRECTORY=DATA_PUMP_DIR full=y impdp [email protected] DUMPFILE=tab1_copied.dmp DIRECTORY=DATA_PUMP_DIR full=y

You can verify the data import by viewing the table on the DB instance.

SQL> select count(*) from user1.tab1;

Step 7: Clean up

After the data has been imported, you can delete the files you no longer want to keep. You can list the files in the DATA_PUMP_DIR using the following command: select * from table(RDSADMIN.RDS_FILE_UTIL.LISTDIR('DATA_PUMP_DIR')) order by mtime;

Note

RDSADMIN.RDS_FILE_UTIL.LISTDIR is only available for version 11.2.0.3.v1 and later.

The following command can be used to delete files in the DATA_PUMP_DIR that you no longer require: exec utl_file.fremove('DATA_PUMP_DIR','[file name]');

For example, the following command deletes the file named "test_dbms_lob.txt" : exec utl_file.fremove('DATA_PUMP_DIR','test_dbms_lob.txt');

Oracle Export/Import Utilities

The Oracle Export/Import utilities are best suited for migrations where the data size is small and data types such as binary float and double are not required. The import process creates the schema objects so you do not need to run a script to create them beforehand, making this process well suited for databases with small tables. The following example demonstrates how these utilities can be used to export and import specific tables.

Export the tables from the source database using the command below. Substitute username/password as appropriate.

exp [email protected] FILE=exp_file.dmp TABLES=(tab1,tab2,tab3) LOG=exp_file.log

API Version 2014-10-31

291

Amazon Relational Database Service User Guide

Oracle SQL*Loader

The export process creates a binary dump file that contains both the schema and data for the specified tables. Now this schema and data can be imported into a target database using the command: imp [email protected] FROMUSER=cust_schema TOUSER=cust_schema \

TABLES=(tab1,tab2,tab3) FILE=exp_file.dmp LOG=imp_file.log

There are other variations of the Export and Import commands that might be better suited to your needs.

See Oracle's documentation for full details.

Oracle SQL*Loader

Oracle SQL*Loader is well suited for large databases that have a limited number of objects in them. Since the process involved in exporting from a source database and loading to a target database is very specific to the schema, the following example creates the sample schema objects, exports from a source, and then loads it into a target database.

1. Create a sample source table using the command below.

create table customer_0 tablespace users as select rownum id, o.* from all_objects o, all_objects x where rownum <= 1000000;

2. On the target Amazon RDS instance, create a destination table that will be used to load the data.

create table customer_1 tablespace users as select 0 as id, owner, object_name, created from all_objects where 1=2;

3. The data will be exported from the source database to a flat file with delimiters. This example uses

SQL*Plus for this purpose. For your data, you will likely need to generate a script that does the export for all the objects in the database.

alter session set nls_date_format = 'YYYY/MM/DD HH24:MI:SS'; set linesize 800

HEADING OFF FEEDBACK OFF array 5000 pagesize 0 spool customer_0.out SET

MARKUP HTML PREFORMAT ON SET COLSEP ',' SELECT id, owner, object_name, created FROM customer_0; spool off

4. You need to create a control file to describe the data. Again, depending on your data, you will need to build a script that does this step.

cat << EOF > sqlldr_1.ctl load data infile customer_0.out

into table customer_1

APPEND fields terminated by "," optionally enclosed by '"'

( id POSITION(01:10) INTEGER EXTERNAL, owner POSITION(12:41) CHAR, object_name POSITION(43:72) CHAR, created POSITION(74:92) date "YYYY/MM/DD HH24:MI:SS"

)

API Version 2014-10-31

292

Amazon Relational Database Service User Guide

Oracle Materialized Views

If needed, copy the files generated by the preceding code to a staging area, such as an Amazon EC2 instance.

5. Finally, import the data using SQL*Loader with the appropriate username and password for the target database.

sqlldr [email protected] control=sqlldr_1.ctl BINDSIZE=10485760 READ

SIZE=10485760 ROWS=1000

Oracle Materialized Views

You can also make use of Oracle materialized view replication to migrate large datasets efficiently.

Replication allows you to keep the target tables in sync with the source on an ongoing basis, so the actual cutover to Amazon RDS can be done later, if needed. The replication is set up using a database link from the Amazon RDS instance to the source database.

One requirement for materialized views is to allow access from the target database to the source database.

In the following example, access rules were enabled on the source database to allow the Amazon RDS target database to connect to the source over SQLNet.

1. Create a user account on both source and Amazon RDS target instances that can authenticate with the same password.

create user dblink_user identified by password default tablespace users temporary tablespace temp; grant create session to dblink_user; grant select any table to dblink_user; grant select any dictionary to dblink_user;

2. Create a database link from the Amazon RDS target instance to the source instance using the newly created dblink_user.

create database link remote_site

connect to dblink_user identified by password

using '(description=(address=(protocol=tcp) (host=<myhost>) (port=<listener

port>))

(connect_data=(sid=<sourcedb sid>)))';

3. Test the link: select * from [email protected]_site;

4. Create a sample table with primary key and materialized view log on the source instance.

create table customer_0 tablespace users as select rownum id, o.* from all_objects o, all_objects x where rownum <= 1000000; alter table customer_0 add constraint pk_customer_0 primary key (id) using index; create materialized view log on customer_0;

5. On the target Amazon RDS instance, create a materialized view.

API Version 2014-10-31

293

Amazon Relational Database Service User Guide

Oracle Materialized Views

CREATE MATERIALIZED VIEW customer_0 BUILD IMMEDIATE REFRESH FAST AS

SELECT * FROM [email protected]_site;

API Version 2014-10-31

294

Amazon Relational Database Service User Guide

Appendix: Options for Oracle

Appendix: Options for Oracle Database Engine

This appendix describes options, or additional features, that are available for Amazon RDS instances running the Oracle database engine. To enable these options, you can add them to an option group, and then associate the option group with your DB instance. Note that some options are permanent and persistent; permanent means that an option cannot be removed from an option group and persistent means that once an option group with this option is assigned to a DB instance, the option group cannot

be removed from the DB instance. For more information about working with options, see Option Groups

Overview (p. 702)

.

The following options are currently supported for Oracle:

Oracle 11g Enterprise Manager (OEM) Database Control and Oracle 12c OEM Database Express (p. 295)

Oracle XML DB (p. 296)

Oracle Application Express (APEX) (p. 296)

Oracle Native Network Encryption (p. 302)

Oracle Transparent Data Encryption (TDE) (p. 303)

(a feature of the Oracle Advanced Security option available in Oracle Enterprise Edition)

Oracle Statspack (p. 305)

Oracle Time Zone (p. 307)

Oracle SSL (p. 308)

Note

Some of these options may require additional memory in order to run on your DB instance. For example, Oracle Enterprise Manager Database Control uses about 300 MB of RAM; if you enable this option for a small DB instance, you might encounter performance problems due to memory constraints.

Before you enable these options, please consider whether your DB instance has enough available memory. You can adjust the Oracle parameters so that the database requires less RAM; alternatively, you can scale up to a larger DB instance.

Oracle 11g Enterprise Manager (OEM) Database

Control and Oracle 12c OEM Database Express

Oracle Enterprise Manager (OEM) Database Control for Oracle version 11g and Oracle Enterprise

Manager (OEM) Database Express for Oracle version 12c are similar tools that have a web-based interface for Oracle database administration. Note that neither tool can be run on DB instances that use the db.t2.micro, db.t2.small, db.t1.micro or db.m1.small instance classes.

The default port number for OEM Database Control is 1158; the default port number for OEM Database

Express is 5500. You can either accept the port number or choose a different one when you enable the option for your DB instance. You can then go to your web browser and begin using the OEM tool for your

Oracle version.

The following example shows how to access either OEM Database Control or OEM Database Express from your web browser. Suppose that the endpoint for your Amazon RDS instance is

mydb.f9rbfa893tft.us-east-1.rds.amazonaws.com, and that you specified port 1158. The URL to access

OEM Database Control would be: https://mydb.f9rbfa893tft.us-east-1.rds.amazonaws.com:1158/em

API Version 2014-10-31

295

Amazon Relational Database Service User Guide

Oracle XML DB

In this example, the OEM Database Control login window appears, prompting you for a username and password. Enter the master username and master password for your DB instance. You are now ready to manage your Oracle databases.

Oracle XML DB

Oracle XML DB adds native XML support to your DB instance. It is pre-installed on version 12c and later, and is available as an option in versions prior to version 12c. With the Amazon RDS XMLDB option, DB instances running the Oracle engine can store and retrieve structured or unstructured XML, in addition to relational data.

After you apply the XMLDB option to your DB instance, you have full access to the Oracle XML DB repository; no post-installation tasks are required.

Note

The Amazon RDS XMLDB option does not provide support for the Oracle XML DB Protocol

Server.

Oracle Application Express (APEX)

Oracle Application Express (APEX) is a development and runtime environment for web-based applications.

Using APEX, developers can build applications entirely within the web browser, and customers can run these applications without installing any additional software.

The following versions are supported:

Amazon RDS Oracle DB version

Oracle 11g

Oracle 12c

Oracle Option Version

Oracle APEX version 4.1.1

Oracle APEX Listener 1.1.4

Oracle APEX version 4.2.6

Oracle Rest Data Services (ORDS)(the APEX listener)

Topics

Oracle APEX on Amazon RDS Oracle 11g (p. 297)

Oracle APEX on Amazon RDS Oracle 12c (p. 299)

Oracle APEX consists of two main components:

• A repository that stores the metadata for APEX applications and components. The repository consists of tables, indexes, and other objects that are installed in your Amazon RDS DB instance.

• A listener that manages HTTP communications with APEX clients. The listener accepts incoming connections from web browsers and forwards them to the Amazon RDS instance for processing, and then sends results from the repository back to the browsers. The APEX Listener was renamed Oracle

Rest Data Services (ORDS) in Oracle 12c.

When you add the APEX option for your Oracle DB instance, Amazon RDS installs the APEX repository only. You must install the listener on a separate host — an Amazon EC2 instance, an on-premises server at your company, or your desktop computer.

API Version 2014-10-31

296

Amazon Relational Database Service User Guide

Oracle Application Express (APEX)

The following sections explain how to configure the Oracle APEX repository and listener for use with

Amazon RDS.

Oracle APEX on Amazon RDS Oracle 11g

The setup of Oracle APEX for Oracle 11g DB instances requires that you install the XMLDB option as well as the APEX and APEX_DEV options on the repository.

Repository Configuration for Oracle 11g

To configure the APEX repository for Oracle 11g

1.

Create a new Amazon RDS instance running the Oracle engine, or choose an existing instance. The version number for the Oracle engine must be 11.2.0.2.v4 or newer.

2.

Create a new option group, or select an existing option group. Apply the following options to this option group:

• XMLDB

• APEX

• APEX_DEV

(If you only want to deploy the APEX runtime environment, you can remove the APEX_DEV option at a later time. This option must be present during this configuration procedure, however.)

3.

Apply the option group to your DB instance. Amazon RDS will install the repository components in your DB instance; this process takes a few minutes to complete.

4.

After the option group is successfully applied, you will need to change the password for the

APEX_PUBLIC_USER database account and unlock it. You can do this using the Oracle SQL*Plus command line utility: Connect to your DB instance as the master user and issue the following commands: alter user APEX_PUBLIC_USER identified by newpass; alter user APEX_PUBLIC_USER account unlock;

Replace newpass

with a password of your choice.

Listener Configuration for Oracle 11g

You are now ready to configure a listener for use with Oracle APEX. You can use either of these products for this purpose:

• Oracle Application Express Listener

• Oracle HTTP Server and mod_plsql

Note

Amazon RDS does not support the Oracle XML DB HTTP server with the embedded PL/SQL gateway; you cannot use this as an APEX listener. This restriction is in line with Oracle's recommendation against using the embedded PL/SQL gateway for applications that run on the

Internet.

The listener must be installed on a separate host, such as an Amazon EC2 instance or a server that you own. You also must have the following prerequisite software installed on the separate host acting as the listener:

API Version 2014-10-31

297

Amazon Relational Database Service User Guide

Oracle Application Express (APEX)

• Java Runtime Environment (JRE) — Oracle APEX Listener is a Java application.

• Oracle Net Services, to enable the APEX listener to connect to your Amazon RDS instance.

• SQL*Plus, to perform administrative tasks from the command line.

The following procedure shows how to configure the Oracle Application Express Listener product. We will assume that the name of your APEX host is myapexhost.example.com, and that this host is running

Linux.

To configure an APEX listener for Oracle 11g

1.

Log in to myapexhost.example.com as root.

2.

We recommend that you create a nonprivileged OS user to own the APEX listener installation. The following command will create a new user named apexuser: useradd -d /home/apexuser apexuser

Now assign a password to apexuser: passwd apexuser

3.

Log in to myapexhost.example.com as apexuser, and download the APEX and APEX Listener installation files from Oracle:

• http://www.oracle.com/technetwork/developer-tools/apex/downloads/index.html

• http://www.oracle.com/technetwork/developer-tools/apex-listener/downloads/index.html

4.

Open the APEX file: unzip apex_4.1.1.zip

5.

Create a new directory and open the APEX Listener file: mkdir /home/apexuser/apexlistener cd /home/apexuser/apexlistener unzip ../apex_listener.1.1.4.zip

6.

While you are still in the apexlistener directory, run the APEX Listener program: java -Dapex.home=./apex -Dapex.images=/home/apexuser/apex/images -Dapex.erase

-jar ./apex.war

The program will prompt you for the following:

• The APEX Listener Administrator username — the default is adminlistener

• A password for the APEX Listener Administrator.

• The APEX Listener Manager username — the default is managerlistener

• A password for the APEX Listener Administrator.

The program will print a URL that you will need in order to complete the configuration:

API Version 2014-10-31

298

Amazon Relational Database Service User Guide

Oracle Application Express (APEX)

INFO: Please complete configuration at: http://localhost:8080/apex/listener

Configure

Database is not yet configured

Leave the APEX Listener running. It needs to continue running in order for you to use Oracle

Application Express. (When you have finished this configuration procedure, you can run the listener in the background.)

7.

From your web browser, go to the URL provided by the APEX Listener program. The Oracle Application

Express Listener administration window appears. Enter the following information:

UsernameAPEX_PUBLIC_USER

Password — the password for APEX_PUBLIC_USER. (This is the password that you specified earlier, when you configured the APEX repository.)

Connection Type— Basic

Hostname— the endpoint of your Amazon RDS instance, such as

mydb.f9rbfa893tft.us-east-1.rds.amazonaws.com

Port— 1521

SID— the name of the database on your Amazon RDS instance, such as mydb

Click Apply button. The APEX administration window appears.

8.

You will need to set a password for the APEX admin user. To do this, use SQL*Plus to connect to your DB instance as the master user and issue the following commands: grant APEX_ADMINISTRATOR_ROLE to master;

@/home/apexuser/apex/apxchpwd.sql

Replace master

with your master user name. Enter a new admin password when the apxchpwd.sql script prompts you.

9.

Return to the APEX administration window in your browser and click Administration. Next, click

Application Express Internal Administration.You will be prompted for APEX internal administration credentials. Enter the following information:

Usernameadmin

Password— the password you set using the apxchpwd.sql script.

Click Login. You will be required to set a new password for the admin user.

Oracle Application Express is now ready for use.

Oracle APEX on Amazon RDS Oracle 12c

The installation process for installing the repository for Oracle 12c is the same as Oracle 11g except that you no longer have to install the XMLDB option (it is installed by default in Oracle 12c.). Note that the

APEX Listener was renamed Oracle Rest Data Services (ORDS).

Repository Configuration for Oracle 12c

To configure the APEX repository for Oracle 12c

1.

Create a new Amazon RDS instance running the Oracle 12c DB engine, or choose an existing Oracle

12c DB instance.

API Version 2014-10-31

299

Amazon Relational Database Service User Guide

Oracle Application Express (APEX)

2.

Create a new option group, or select an existing option group. Apply the following options to this option group:

• APEX

• APEX_DEV

(If you only want to deploy the APEX runtime environment, you can remove the APEX_DEV option at a later time. This option must be present during this configuration procedure, however.)

3.

Apply the option group to your DB instance. Amazon RDS will install the repository components in your DB instance; this process takes a few minutes to complete.

4.

After the option group is successfully applied, you will need to change the password for the

APEX_PUBLIC_USER database account and unlock it. You can do this using the Oracle SQL*Plus command line utility: Connect to your DB instance as the master user and issue the following commands: alter user APEX_PUBLIC_USER identified by newpass; alter user APEX_PUBLIC_USER account unlock;

Replace newpass

with a password of your choice.

Listener Configuration for Oracle 12c

For Oracle 12c, the Oracle Application Express Listener (APEX Listener) was renamed Oracle Rest Data

Services (ORDS). The listener must be installed on a separate host, such as an Amazon EC2 instance or a server that you own.

Amazon RDS does not support the Oracle XML DB HTTP server with the embedded PL/SQL gateway; you cannot use this as an APEX Listener. This restriction is in line with Oracle's recommendation against using the embedded PL/SQL gateway for applications that run on the Internet.

You must have the following prerequisite software installed on the separate host acting as the listener:

• Java Runtime Environment (JRE)

• Oracle Net Services, to enable the APEX Listener to connect to your Amazon RDS instance.

• SQL*Plus, to perform administrative tasks from the command line.

The following procedure shows how to configure Oracle Rest Data Services (ORDS). We will assume that the name of your APEX host is myapexhost.example.com, and that this host is running Linux.

To install Oracle Rest Data Services (ORDS) (the APEX listener) for Oracle 12c

1.

Log in to myapexhost.example.com as root.

2.

We recommend that you create a nonprivileged OS user to own the APEX listener installation. The following command will create a new user named apexuser: useradd -d /home/apexuser apexuser

Now assign a password to apexuser: passwd apexuser

API Version 2014-10-31

300

Amazon Relational Database Service User Guide

Oracle Application Express (APEX)

3.

Log in to myapexhost.example.com as apexuser, and download the APEX and ORDS installation files from Oracle:

• http://www.oracle.com/technetwork/developer-tools/apex/downloads/index.html

• http://www.oracle.com/technetwork/developer-tools/apex-listener/downloads/index.html

4.

Unzip the APEX file: unzip apex_4.2.6.zip

5.

Create a new directory and open the ORDS file: mkdir /home/apexuser/ORDS cd /home/apexuser/ORDS unzip ../ords.3.0.0.65.09.31.zip

6.

While you are still in the ORDS directory, run the APEX Listener program: java -jar ords.war setup

The program will prompt you for the following information. The default value is in brackets:

• Enter the name of the database server [localhost]:

• Enter the database listen port [1521]:

• Enter 1 to specify the database service name, or 2 to specify the database SID [1]:

• Enter the database SID [xe]:

• Enter the database user name [APEX_PUBLIC_USER]:

• Enter the database password:

7.

You will need to set a password for the APEX admin user. To do this, use SQL*Plus to connect to your DB instance as the master user and issue the following commands: grant APEX_ADMINISTRATOR_ROLE to master;

@/home/apexuser/apex/apxchpwd.sql

Replace master

with your master user name. Enter a new admin password when the apxchpwd.sql script prompts you.

8.

Start the APEX Listener.

java -jar ords.war

The first time you start the APEX Listener, you will be prompted to provide the location of the APEX

Static resources. This images folder is located under the installation directory for APEX, then

/apex/images.

9.

Return to the APEX administration window in your browser and click Administration. Next, click

Application Express Internal Administration.You will be prompted for APEX internal administration credentials. Enter the following information:

Usernameadmin

Password— the password you set using the apxchpwd.sql script.

API Version 2014-10-31

301

Amazon Relational Database Service User Guide

Oracle Native Network Encryption

Click Login. You will be required to set a new password for the admin user.

Oracle Application Express (APEX) is now ready for use.

Oracle Native Network Encryption

Amazon RDS supports Oracle native network encryption (NNE), a feature available on all Oracle Enterprise

Edition only. With native network encryption, you can encrypt data as it moves to and from a DB instance.

To use Oracle native network encryption with a DB instance, you add the

NATIVE_NETWORK_ENCRYPTION option to an option group and associate that option group with the

DB instance. You should first determine if the DB instance is associated with an option group that has the NATIVE_NETWORK_ENCRYPTION option. To view the option group that a DB instance is associated, you can use the RDS console, the describe-db-instances AWS CLI command, or the API action

DescribeDBInstances . Amazon RDS supports Oracle native network encryption for any DB instance class larger than db.t1.micro.

A detailed discussion of Oracle native network encryption is beyond the scope of this guide, but you should understand the strengths and weaknesses of each algorithm and key before you decide on a solution for your deployment. Note that non-default TDE encryption algorithms only work with Oracle version 11.2.0.2.v7 and later. For information about the algorithms and keys that are available through

Oracle native network encryption, see Configuring Network Data Encryption in the Oracle documentation.

For more information about AWS security, see the AWS Security Center .

The process for using Oracle native network encryption with Amazon RDS is as follows:

1. If the DB instance is not associated with an option group that has the network encryption option

(NATIVE_NETWORK_ENCRYPTION), you must either modify an existing option group to add the

NATIVE_NETWORK_ENCRYPTION option or create a new option group and add the

NATIVE_NETWORK_ENCRYPTION option to it. For information about creating or modifying an option group, see

Working with Option Groups (p. 702)

. For information about adding an option to an option group, see

Adding an Option to an Option Group (p. 707) .

2. Specify the NATIVE_NETWORK_ENCRYPTION option settings for the option group. For information

about modifying option settings, see Modifying an Option Setting (p. 715) .

These settings include:

• SQLNET.ENCRYPTION_SERVER–Specifies the encryption behavior when a client, or a server acting as a client, connects to the DB instance. Allowable values are

Accepted

,

Rejected

,

Requested

(the default), and

Required

.

Requested

indicates that the DB instance does not require traffic from the client to be encrypted.

• SQLNET.CRYPTO_CHECKSUM_SERVER–Specifies the data integrity behavior when a client, or a server acting as a client, connects to the DB instance. Allowable values are

Accepted

,

Rejected

,

Requested

(the default), and

Required

.

Requested

indicates that the DB instance does not require the client to perform a checksum.

• SQLNET.ENCRYPTION_TYPES_SERVER–Specifies a list of encryption algorithms used by the

DB instance. The DB instance will use each algorithm, in order, to attempt to decrypt the client input until an algorithm succeeds or until the end of the list is reached. Amazon RDS uses the following default list from Oracle. You can change the order or limit the algorithms that the DB instance will accept.

a. RC4_256: RSA RC4 (256-bit key size) b. AES256: AES (256-bit key size) c. AES192: AES (192-bit key size) d. 3DES168: 3-key Triple-DES (112-bit effective key size) e. RC4_128: RSA RC4 (128-bit key size) f. AES128: AES (128-bit key size)

API Version 2014-10-31

302

Amazon Relational Database Service User Guide

Oracle Transparent Data Encryption (TDE)

g. 3DES112: 2-key Triple-DES (80-bit effective key size) h. RC4_56: RSA RC4 (56-bit key size) i. DES: Standard DES (56-bit key size) j. RC4_40: RSA RC4 (40-bit key size) k. DES40: DES40 (40-bit key size)

• SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER–Specifies the checksum algorithm.The default is sha-1, but md5 is also supported.

3. List the options in the option group to ensure that you have added the

NATIVE_NETWORK_ENCRYPTION option and specified the correct settings.You can view the options in an option group using the RDS console, the CLI command describe-option-group-options , or the

Amazon RDS API action DescribeOptionGroupOptions .

4. Associate the DB instance with the option group that has the NATIVE_NETWORK_ENCRYPTION option. For information about associating a DB instance with an option group, see

Modifying a DB

Instance Running the Oracle Database Engine (p. 283)

.

With Oracle native network encryption, you can also specify network encryption on the client side. On the client (the computer used to connect to the DB instance), you can use the sqlnet.ora file to specify the following client settings: SQLNET.CRYPTO_CHECKSUM_CLIENT ,

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT, SQLNET.ENCRYPTION_CLIENT, and

SQLNET.ENCRYPTION_TYPES_CLIENT. For information, see Configuring Network Data Encryption and Integrity for Oracle Servers and Clients in the Oracle documentation.

Sometimes, the DB instance will reject a connection request from an application, for example, if there is a mismatch between the encryption algorithms on the client and on the server.

To test Oracle native network encryption , add the following lines to the sqlnet.ora file on the client:

DIAG_ADR_ENABLED=off

TRACE_DIRECTORY_CLIENT=/tmp

TRACE_FILE_CLIENT=nettrace

TRACE_LEVEL_CLIENT=16

These lines generate a trace file on the client called

/tmp/nettrace*

when the connection is attempted.

The trace file contains information on the connection. For more information about connection-related issues when you are using Oracle Native Network Encryption, see About Negotiating Encryption and

Integrity in the Oracle documentation.

Oracle Transparent Data Encryption (TDE)

Amazon RDS supports Oracle Transparent Data Encryption (TDE), a feature of the Oracle Advanced

Security option available in Oracle Enterprise Edition. This feature automatically encrypts data before it is written to storage and automatically decrypts data when the data is read from storage.

Note

The TDE option is a permanent option that cannot be removed from an option group, and that option group cannot be removed from a DB instance once it is associated with a DB instance.

You cannot disable TDE from a DB instance once that instance is associated with an option group with the Oracle TDE option.

Oracle Transparent Data Encryption is used in scenarios where you need to encrypt sensitive data in case data files and backups are obtained by a third party or when you need to address security-related regulatory compliance issues.

A detailed explanation about Oracle Transparent Data Encryption is beyond the scope of this guide. For information about using Oracle Transparent Data Encryption, see Securing Stored Data Using Transparent

API Version 2014-10-31

303

Amazon Relational Database Service User Guide

Oracle Transparent Data Encryption (TDE)

Data Encryption . For more information about Oracle Advanced Security, see Oracle Advanced Security in the Oracle documentation. For more information on AWS security, see the AWS Security Center .

Oracle Transparent Data Encryption supports two encryption modes: TDE tablespace encryption and

TDE column encryption. TDE tablespace encryption is used to encrypt entire application tables. TDE column encryption is used to encrypt individual data elements that contain sensitive data. You can also apply a hybrid encryption solution that uses both TDE tablespace and column encryption.

Note

Amazon RDS manages the Oracle Wallet and TDE master key for the DB instance. You do not need to set the encryption key using the command

ALTER SYSTEM set encryption key

.

For information about TDE best practices, see Oracle Advanced Security Transparent Data Encryption

Best Practices .

Once the option is enabled, you can check the status of the Oracle Wallet by using the following command:

SELECT * FROM v$encryption_wallet;

To create an encrypted tablespace, use the following command:

CREATE TABLESPACE encrypt_ts ENCRYPTION DEFAULT STORAGE (ENCRYPT);

To specify the encryption algorithm (for versions 11.2.0.2.v7 or later), use the following command:

CREATE TABLESPACE encrypt_ts ENCRYPTION USING 'AES256' DEFAULT STORAGE (ENCRYPT);

Note that the previous commands for encrypting a tablespace are the same as the commands you would use with an Oracle installation not on Amazon RDS, and the ALTER TABLE syntax to encrypt a column is also the same as the commands you would use for an Oracle installation not on Amazon RDS.

You should determine if your DB instance is associated with an option group that has the TDE option.

To view the option group that a DB instance is associated with, you can use the RDS console, the describe-db-instance CLI command, or the API action DescribeDBInstances .

To comply with several security standards, Amazon RDS is working to implement automatic periodic master key rotation.

The process for using Oracle Transparent Data Encryption (TDE) with Amazon RDS is as follows:

1. If the DB instance is not associated with an option group that has the TDE option enabled, you must either create an option group and add the TDE option or modify the associated option group to add

the TDE option. For information about creating or modifying an option group, see Working with Option

Groups (p. 702) . For information about adding an option to an option group, see

Adding an Option to an Option Group (p. 707) .

2. Associate the DB instance with the option group with the TDE option. For information about associating a DB instance with an option group, see

Modifying a DB Instance Running the Oracle Database

Engine (p. 283) .

If you no longer want to use the TDE option with a DB instance, you must decrypt all your data on the

DB instance, copy the data to a new DB instance that is not associated with an option group with TDE enabled, and then delete the original instance. You can rename the new instance to be the same name as the previous DB instance if you prefer.

API Version 2014-10-31

304

Amazon Relational Database Service User Guide

Oracle Statspack

Using TDE with Data Pump

You can use Oracle Data Pump to import or export encrypted dump files. Amazon RDS supports the password encryption mode (ENCRYPTION_MODE=PASSWORD) for Oracle Data Pump. Amazon RDS does not support transparent encryption mode (ENCRYPTION_MODE=TRANSPARENT) for Oracle Data

Pump. For more information about using Oracle Data Pump with Amazon RDS, see Oracle Data

Pump (p. 288)

.

Oracle Statspack

The Oracle Statspack option (STATSPACK) installs and enables the Oracle Statspack performance statistics feature. Oracle Statspack is a collection of SQL, PL/SQL, and SQL*Plus scripts that collect, store, and display performance data. For information about using Oracle Statspack, see Oracle Statspack in the Oracle documentation.

Note

Oracle Statspack is no longer supported by Oracle and has been replaced by the more advanced

Automatic Workload Repository (AWR). AWR is available only for Oracle Enterprise Edition customers who have purchased the Diagnostics Pack. Oracle Statspack can be used with any

Oracle DB engine on Amazon RDS.

The following steps show you how to work with Oracle Statspack on Amazon RDS:

1. Add the Statspack option to an option group and then associate that option group with your DB instance.

Amazon RDS installs the Statspack scripts on the DB instance and then sets up the PERFSTAT user account, the account you use to run the Statspack scripts. If you have installed Statspack, skip this step.

If you have an existing DB instance that has the PERFSTAT account already created and you want to use Oracle Statspack with it, you must drop the PERFSTAT account before adding the Statspack option to the option group associated with your DB instance. If you attempt to add the Statspack option to an option group associated with a DB instance that already has the PERFSTAT account created, you will get an error and the RDS event RDS-Event-0058 will be generated.

You can drop the PERFSTAT account by running the following command:

DROP USER perfstat CASCADE;

2. After Amazon RDS has installed Statspack on your DB instance, you must log in to the DB instance using your master user name and master password. You must then reset the PERFSTAT password from the randomly generated value Amazon RDS created when Statspack was installed. After you have reset the PERFSTAT password, you can log in using the PERFSTAT user account and run the

Statspack scripts.

Use the following command to reset the password:

ALTER USER perfstat IDENTIFIED BY <new_password> ACCOUNT UNLOCK;

3. After you have logged on using the PERFSTAT account, you can either manually create a Statspack snapshot or create a job that will take a Statspack snapshot after a given time interval. For example, the following job creates a Statspack snapshot every hour: variable jn number; execute dbms_job.submit(:jn, 'statspack.snap;',sysdate,'trunc(SYS

API Version 2014-10-31

305

Amazon Relational Database Service User Guide

Oracle Statspack

DATE+1/24,''HH24'')'); commit;

4. Once you have created at least two Statspack snapshots, you can view them using the following query: select snap_id, snap_time from stats$snapshot order by 1;

5. To create a Statspack report, you choose two snapshots to analyze and run the following Amazon

RDS command: exec RDSADMIN.RDS_RUN_SPREPORT(<begin snap>,<end snap>);

For example, the following Amazon RDS command would create a report based on the interval between

Statspack snapshots 1 and 7: exec RDSADMIN.RDS_RUN_SPREPORT(1,7);

The file name of the Statspack report that is generated includes the number of the two Statspack snapshots used. For example, a report file created using Statspack snapshots 1 and 7 would be named

ORCL_spreport_1_7.lst.You can download the Statspack report by selecting the report in the Log section of the RDS console and clicking Download or you can use the trace file procedures explained in

Working with Oracle Trace Files (p. 819) .

If an error occurs when producing the report, an error file is created using the same naming conventions but with an extension of .err. For example, if an error occurred while creating a report using Statspack

API Version 2014-10-31

306

Amazon Relational Database Service User Guide

Oracle Time Zone

snapshots 1 and 7, the report file would be named ORCL_spreport_1_7.err. You can download the error report by selecting the report in the Log section of the RDS console and clicking Download or use the trace file procedures explained in

Working with Oracle Trace Files (p. 819) .

Oracle Statspack does some basic checking before running the report, so you could also see error messages displayed at the command prompt. For example, if you attempt to generate a report based on an invalid range, such as the beginning Statspack snapshot value is larger than the ending Statspack snapshot value, the error message will be displayed at the command prompt and no error file is created.

exec RDSADMIN.RDS_RUN_SPREPORT(2,1);

*

ERROR at line 1:

ORA-20000: Invalid snapshot IDs. Find valid ones in perfstat.stats$snapshot.

If you use an invalid number for one of the Statspack snapshots, the error message will also be displayed at the command prompt. For example, if you have 20 Statspack snapshots but request that a report be run using Statspack snapshots 1 and 50, the command prompt will display an error.

exec RDSADMIN.RDS_RUN_SPREPORT(1,50);

*

ERROR at line 1:

ORA-20000: Could not find both snapshot IDs

For more information about how to use Oracle Statspack, including information on adjusting the amount of data captured by adjusting the snapshot level, go to the Oracle Statspack documentation page .

To remove Oracle Statspack files, use the following command: execute statspack.purge(<begin snap>, <end snap>);

Oracle Time Zone

The

Timezone

option lets you change the system time zone used by Oracle databases in a DB instance.

You might need to change the time zone for a DB instance if you need to have time compatibility with an on-premises environment or a legacy application. This option changes the time zone at the host level and impacts all date columns and values including

SYSDATE

and

SYSTIMESTAMP

. This option can only be applied once to a DB instance. You should take a DB snapshot of your DB instance before applying this option to a DB instance so that you can recover the instance if the time zone option is set incorrectly.

Note

Applying the

Timezone

option to option groups used by existing DB instances could cause problems with tables that use system date to add dates or time, so you should analyze your data to determine what impact a time zone change will have. We strongly urge you to test setting this option on a test DB instance before setting it on your production instances.

The

Timezone

option is a permanent and persistent option that cannot be removed from an option group once it is added and the option group cannot be disassociated from a DB instance. This option can be applied immediately by selecting

Apply Immediately

or it can be applied at the next maintenance window.

There are three ways that you can add the

Timezone

option to an option group.You can use the Amazon

RDS console, the add-option-to-option-group

AWS CLI command, or the

ModifyOptionGroup

API action.

API Version 2014-10-31

307

Amazon Relational Database Service User Guide

Oracle SSL

The following example uses the AWS CLI command add-option-to-option-group

to add the

Timezone

option and the

TIME_ZONE

option setting to an option group called myoptiongroup

. The time zone is set to Asia/Japan.

For Linux, OS X, or Unix: aws rds add-option-to-option-group \

--option-group-name "

myoptiongroup

" \

--options "

OptionName=Timezone,OptionSet tings=[{Name=TIME_ZONE,Value=Europe/Paris}]

" \

--apply-immediately

For Windows: aws rds add-option-to-option-group ^

--option-group-name "

myoptiongroup

" ^

--options "

OptionName=Timezone,OptionSet tings=[{Name=TIME_ZONE,Value=Europe/Paris}]

" ^

--apply-immediately

The

Timezone

option differs from the

rdsadmin_util.alter_db_time_zone

command. The rdsadmin_util.alter_db_time_zone

command only changes the time zone for certain data types, while the

Timezone

option changes the time zone at the host level and impacts all date columns and values such as SYSDATE.

The following values can be used for the

TIME_ZONE

option setting:

Africa/Cairo, Africa/Casablanca, Africa/Harare, Africa/Lagos, Africa/Monrovia, Africa/Nairobi, Africa/Tripoli,

Africa/Windhoek, America/Araguaina, America/Asuncion, America/Bogota, America/Caracas,

America/Chihuahua, America/Cuiaba, America/Denver, America/Fortaleza, America/Guatemala,

America/Halifax, America/Manaus, America/Matamoros, America/Monterrey, America/Montevideo,

America/Phoenix, America/Santiago, America/Tijuana, Asia/Amman, Asia/Ashgabat, Asia/Baghdad,

Asia/Baku, Asia/Bangkok, Asia/Beirut, Asia/Calcutta, Asia/Damascus, Asia/Dhaka, Asia/Irkutsk,

Asia/Jerusalem, Asia/Kabul, Asia/Karachi, Asia/Kathmandu, Asia/Krasnoyarsk, Asia/Magadan, Asia/Muscat,

Asia/Novosibirsk, Asia/Riyadh, Asia/Seoul, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Tehran,

Asia/Tokyo, Asia/Ulaanbaatar, Asia/Vladivostok, Asia/Yakutsk, Asia/Yerevan, Atlantic/Azores,

Australia/Adelaide, Australia/Brisbane, Australia/Darwin, Australia/Hobart, Australia/Perth, Australia/Sydney,

Brazil/East, Canada/Newfoundland, Canada/Saskatchewan, Etc/GMT-3, Europe/Amsterdam,

Europe/Athens, Europe/Dublin, Europe/Helsinki, Europe/Istanbul, Europe/Kaliningrad, Europe/Moscow,

Europe/Paris, Europe/Prague, Europe/Sarajevo, Pacific/Auckland, Pacific/Fiji, Pacific/Guam,

.

Pacific/Honolulu, Pacific/Samoa, US/Alaska, US/Central, US/Eastern, US/East-Indiana, US/Pacific, UTC

Oracle SSL

You enable SSL encryption for an Oracle DB instance by adding the Oracle SSL option to the option group associated with an Oracle DB instance. You specify the port you want to communicate over using

SSL. You must configure the Oracle client as shown in this following section.

You enable SSL encryption for an Oracle DB instance by adding the Oracle SSL option to the option group associated with the DB instance. Amazon RDS uses a second port, as required by Oracle, for SSL connections which allows both clear text and SSL-encrypted communication to occur at the same time between a DB instance and an Oracle client. For example, you can use the port with clear text communication to communicate with other resources inside a VPC while using the port with SSL-encrypted communication to communicate with resources outside the VPC.

API Version 2014-10-31

308

Amazon Relational Database Service User Guide

Oracle SSL

Topics

Configuring an Oracle Client to Use SSL with an Oracle DB Instance (p. 309)

Connecting to an Oracle DB Instance Using SSL (p. 310)

Setting Up an SSL Connection Over JDBC (p. 311)

Enforcing a DN Match with an SSL Connection (p. 312)

You can use SSL encryption with the following Oracle database versions and editions:

• 11.2.0.2.v* (all versions) - Enterprise Edition

• 11.2.0.3.v* (all versions) - Enterprise Edition

• 11.2.0.4.v* (all versions) - Enterprise Edition

• 11.2.0.4.v6 and later - Standard Edition, Standard Edition One, Enterprise Edition

• 12.1.0.1.v* (all versions) - all editions

• 12.1.0.2.v* (all versions) - all editions, including Standard Edition Two

Note

You cannot use both SSL and Oracle native network encryption (NNE) on the same instance.

If you use SSL encryption, you must disable any other connection encryption.

Configuring an Oracle Client to Use SSL with an Oracle DB

Instance

You must configure the Oracle client before connecting to an Oracle DB instance that uses the Oracle

SSL option.

To configure an Oracle client to use SSL to connect to an Oracle DB instance

1.

Set the ORACLE_HOME system variable to the location of your dbhome_1 directory by running the following command: prompt>export ORACLE_HOME=/home/user/app/user/product/12.1.0/dbhome_1

2.

Append

$ORACLE_HOME/lib

to the LD_LIBRARY_PATH system variable.

prompt>export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib

3.

Create a directory for the Oracle wallet at $ORACLE_HOME/ssl_wallet.

prompt>mkdir $ORACLE_HOME/ssl_wallet

4.

Download the RDS CA certificates file from

https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem and then put the file in the ssl_wallet directory.

API Version 2014-10-31

309

Amazon Relational Database Service User Guide

Oracle SSL

5.

In the $ORACLE_HOME/network/admin directory, modify or create the tnsnames.ora file and include the following entry:

<database name>= (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)

(HOST =

<endpoint>

) (PORT =

<ssl port number>

)))(CONNECT_DATA = (SID =

<database name>

))

(SECURITY = (SSL_SERVER_CERT_DN = "

C=US,ST=Washing ton,L=Seattle,O=Amazon.com,OU=RDS,CN=<endpoint>

")))

6.

In the same directory, modify or create the sqlnet.ora file and include the following parameters:

WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY =

$ORACLE_HOME/ssl_wallet)))

SSL_CLIENT_AUTHENTICATION = FALSE

SSL_VERSION = 1.0

SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA)

SSL_SERVER_DN_MATCH = ON

7.

Run the following commands to create the Oracle wallet: prompt>orapki wallet create -wallet $ORACLE_HOME/ssl_wallet -auto_login_only prompt>orapki wallet add -wallet $ORACLE_HOME/ssl_wallet -trusted_cert -cert

$ORACLE_HOME/ssl_wallet/rds-ca-2015-root.pem -auto_login_only

Connecting to an Oracle DB Instance Using SSL

After you configure the Oracle client to use SSL as described preceding, you can connect to the Oracle

DB instance with the SSL option. For example, to connect to the DB instance using sqlplus, use the following command: sqlplus> '

<mydbuser>

@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST =

<end point>

)

(PORT =

<ssl port number>

))(CONNECT_DATA = (SID =

<database name>

)))'

You can also connect to the Oracle DB instance without using SSL. For example, the following command connects to the DB instance through the clear text port without SSL encryption:

sqlplus '

<mydbuser>

@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =

<end point>

)

API Version 2014-10-31

310

Amazon Relational Database Service User Guide

Oracle SSL

(PORT =

<port number>

))(CONNECT_DATA = (SID =

<database name>

)))'

If you want to close Transmission Control Protocol (TCP) port access, create a security group with no IP address ingresses and add it to the instance. This addition closes connections over the TCP port, while still allowing connections over the SSL port that are specified from IP addresses within the range permitted by the SSL option security group.

Setting Up an SSL Connection Over JDBC

To use an SSL connection over JDBC, you must create a keystore, trust the Amazon RDS root CA certificate, and use the code snippet specified below.

To create the keystore in JKS format, use the following command. For more information about creating the keystore, see the Oracle documentation .

keytool -keystore clientkeystore -genkey -alias client

Next, follow these steps to trust the Amazon RDS root CA certificate:

1.

1. Download the Amazon RDS root CA certificate from https://s3.amazonaws.com/rds-downloads/ rds-ca-2015-root.pem

.

2.

Convert the certificate to DER format using the following command: openssl x509 -outform der -in rds-ca-2015-root.pem -out rds-ca-2015-root.der

3.

Import the certificate into the keystore using the following command: keytool -import -alias rds-root -keystore clientkeystore -file rds-ca-2015root.der

The following code snippet shows how to setup the SSL connection using JDBC: import java.sql.Connection; import java.sql.DriverManager; import java.sql.SQLException; import java.util.Properties; public class OracleSslConnectionTest {

private static final String DB_SERVER_NAME = "<dns-name-provided-by-amazonrds>";

private static final Integer SSL_PORT = "<ssl-option-port-configured-inoption-group>";

API Version 2014-10-31

311

Amazon Relational Database Service User Guide

Oracle SSL

private static final String DB_SID = "<oracle-sid>";

private static final String DB_USER = "<user name>";

private static final String DB_PASSWORD = "<password>";

// This key store has only the prod root ca: https://s3.amazonaws.com/rdsdownloads/rds-ca-2015-root.pem

private static final String KEY_STORE_FILE_PATH = "<file-path-to-keystore>";

private static final String KEY_STORE_PASS = "<keystore-password>";

public static void main(String[] args) throws SQLException {

final Properties properties = new Properties();

final String connectionString = String.format(

"jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PRO

TOCOL=TCPS)(HOST=%s)(PORT=%d))(CONNECT_DATA=(SID=%s)))",

DB_SERVER_NAME, SSL_PORT, DB_SID);

properties.put("user", DB_USER);

properties.put("password", DB_PASSWORD);

properties.put("oracle.jdbc.J2EE13Compliant", "true");

properties.put("javax.net.ssl.trustStore", KEY_STORE_FILE_PATH);

properties.put("javax.net.ssl.trustStoreType", "JKS");

properties.put("javax.net.ssl.trustStorePassword", KEY_STORE_PASS);

final Connection connection = DriverManager.getConnection(connection

String, properties);

// If no exception, that means handshake has passed, and an SSL connec tion can be opened

}

}

Enforcing a DN Match with an SSL Connection

The Oracle parameter SSL_SERVER_DN_MATCH can be used to enforce that the distinguished name

(DN) for the database server matches its service name. If you enforce the match verifications, then SSL ensures that the certificate is from the server. If you do not enforce the match verification, then SSL performs the check but allows the connection, regardless if there is a match. If you do not enforce the match, you allow the server to potentially fake its identify.

To enforce DN matching, add the DN match property and use the connection string specified below.

Add the following property to the DB parameter group associated with the Oracle DB instance you want to enforce DN matching: properties.put("oracle.net.ssl_server_dn_match", "TRUE”);

Use the following connection string to enforce DN matching when using SSL: final String connectionString = String.format(

"jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=%s)(PORT=%d))"

+

"(CONNECT_DATA=(SID=%s))" +

"(SECURITY = (SSL_SERVER_CERT_DN =

API Version 2014-10-31

312

Amazon Relational Database Service User Guide

Oracle SSL

\"C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,CN=%s\")))",

DB_SERVER_NAME, SSL_PORT, DB_SID, DB_SERVER_NAME);

API Version 2014-10-31

313

Amazon Relational Database Service User Guide

Appendix: Common DBA Tasks for Oracle

Appendix: Common DBA Tasks for Oracle

This section describes the Amazon RDS-specific implementations of some common DBA tasks for DB instances running the Oracle database engine. In order to deliver a managed service experience, Amazon

RDS does not provide shell access to DB instances, and restricts access to certain system procedures and tables that require advanced privileges.

For information about working with Oracle log files on Amazon RDS, see

Oracle Database Log Files (p. 819)

Tasks

System

Enabling and disabling Restricted Session (p. 315)

Flushing the Shared Pool (p. 315)

Flushing the Buffer Cache (p. 315)

Disconnecting a Session (for version 11.2.0.3.v1 and later) (p. 316)

Killing a Session (p. 316)

Renaming the Global Name (for version 11.2.0.3.v1 and later) (p. 316)

Granting Privileges to Non-Master Users (p. 317)

Modifying DBMS_SCHEDULER Jobs (p. 317)

Logs

Switching Online Log files (p. 317)

Adding, Dropping and Resizing Online Redo Logs (p. 318)

Setting Force Logging (for version 11.2.0.3.v1 and later) (p. 320)

Retaining Archived Redo Logs (for version 11.2.0.2.v7 and later) (p. 321)

Setting Supplemental Logging (for version 11.2.0.3.v1 and later) (p. 321)

Databases

Creating and Resizing Tablespaces and Data Files (p. 321)

Setting Default Tablespace (p. 322)

Setting Default Temporary Tablespace (p. 322)

Checkpointing the Database (p. 322)

Setting Distributed Recovery (for version 11.2.0.3.v1 and later) (p. 322)

Granting SELECT or EXECUTE privileges to SYS Objects (for version 11.2.0.3.v1 and later) (p. 323)

Setting the Database Time Zone (p. 323)

Working with Automatic Workload Repository (AWR) (p. 324)

Adjusting Database Links for Use with DB Instances in a VPC (p. 324)

API Version 2014-10-31

314

Amazon Relational Database Service User Guide

Enabling and disabling Restricted Session

Creating New Directories in the Main Data Storage Space (for version 11.2.0.4.v1 and later) (p. 324)

Listing and Reading Files in a DB Instance Directory (for version 11.2.0.3.v1 and later) (p. 325)

Enabling and disabling Restricted Session

Oracle Method Amazon RDS Method

alter system enable restricted session; exec rdsadmin.rdsadmin_util.restricted_session(true); alter system disable restricted session; exec rdsadmin.rdsadmin_util.restricted_session(false);

The following example shows how to enable and disable restricted sessions.

select logins from v$instance;

LOGINS

-------

ALLOWED exec rdsadmin.rdsadmin_util.restricted_session(true); select logins from v$instance;

LOGINS

----------

RESTRICTED exec rdsadmin.rdsadmin_util.restricted_session(false); select logins from v$instance;

LOGINS

-------

ALLOWED

Flushing the Shared Pool

Oracle Method Amazon RDS Method

alter system flush shared_pool; exec rdsadmin.rdsadmin_util.flush_shared_pool;

Flushing the Buffer Cache

Oracle Method

alter system flush buffer_cache;

Amazon RDS Method

exec rdsadmin.rdsadmin_util.flush_buffer_cache;

API Version 2014-10-31

315

Amazon Relational Database Service User Guide

Disconnecting a Session (for version 11.2.0.3.v1 and later)

Disconnecting a Session (for version 11.2.0.3.v1

and later)

The following Amazon RDS method disconnects the current session by ending the dedicated server process. Note that the database must be open to use this method. For more information about disconnecting a session, see the Oracle documentation .

You must specify both the SID and serial number of the session. To obtain these values, query the

V$SESSION view. For example, the following query shows all sessions for the user AWSUSER:

SELECT SID, SERIAL#, STATUS

FROM V$SESSION

WHERE USERNAME = 'AWSUSER';

Oracle Method

alter system disconnect session;

Amazon RDS Method

exec rdsadmin.rdsadmin_util.disconnect(sid number, serial number, method varchar default

'IMMEDIATE');

Killing a Session

Oracle Method

alter system kill session ' sid, serial#' IMMEDIATE;

Amazon RDS Method

exec rdsadmin.rdsadmin_util.kill(sid, serial#);

For use with version 11.2.0.3.v1 or higher: exec rdsadmin.rdsadmin_util.kill(sid number, serial number, method varchar default null);

If you are using version 11.2.0.3.v1 or higher, you can specify either IMMEDIATE or PROCESS as a value for the method

parameter. Specifying PROCESS as the method

value enables you to kill processes associated with a session. You should only do this if killing the session using IMMEDIATE as the method value was unsuccessful.

Renaming the Global Name (for version 11.2.0.3.v1

and later)

The following Amazon RDS method changes the global name of the database. Note that the database must be open for the name change to take effect. For more information about changing the global name of a database, see the Oracle documentation .

Oracle Method

alter database rename global_name;

Amazon RDS Method

exec rdsadmin.rdsadmin_util.rename_global_name(p_new_global_name in varchar2);

API Version 2014-10-31

316

Amazon Relational Database Service User Guide

Granting Privileges to Non-Master Users

Granting Privileges to Non-Master Users

The following example creates a non-master user named user1 and grants the CREATE SESSION privilege and the SELECT privilege for a database named sh.sales:

CREATE USER user1 IDENTIFIED BY password;

GRANT CREATE SESSION TO user1;

GRANT SELECT ON sh.sales TO user1;

You can grant explicit object privileges for objects in the SYS schema using the SELECT_CATALOG_ROLE and the EXECUTE_CATALOG_ROLE roles. The SELECT_CATALOG_ROLE role allows users SELECT privileges on data dictionary views and the EXECUTE_CATALOG_ROLE role allows users EXECUTE privileges for packages and procedures in the data dictionary.

The following example grants the SELECT_CATALOG_ROLE role to a user named user1:

GRANT SELECT_CATALOG_ROLE TO user1;

The following example grants the EXECUTE_CATALOG_ROLE role to a user named user1:

GRANT EXECUTE_CATALOG_ROLE TO user1;

To view the permissions that the SELECT_CATALOG_ROLE and the EXECUTE_CATALOG_ROLE roles allow, use the following query:

SELECT * FROM ROLE_TAB_PRIVS

WHERE ROLE IN ('SELECT_CATALOG_ROLE','EXECUTE_CATALOG_ROLE')

ORDER BY ROLE, TABLE_NAME ASC;

Modifying DBMS_SCHEDULER Jobs

You can modify the default DBMS_SCHEDULER jobs and windows by following the Oracle documentation, but you need to prepend the SYS schema name to the WINDOW_NAME. For example, with a local Oracle database you could do the following: execute dbms_scheduler.set_attribute('MONDAY_WINDOW','RESOURCE_PLAN','');

For an Amazon RDS DB instance, you would include the SYS schema name: execute dbms_scheduler.set_attribute('SYS.MONDAY_WINDOW','RESOURCE_PLAN','');

Switching Online Log files

You can use the following Amazon RDS method to switch log files.

Oracle Method

alter system switch logfile;

Amazon RDS Method

exec rdsadmin.rdsadmin_util.switch_logfile;

API Version 2014-10-31

317

Amazon Relational Database Service User Guide

Adding, Dropping and Resizing Online Redo Logs

Adding, Dropping and Resizing Online Redo Logs

A newly created Amazon RDS instance using the Oracle database engine will have four 128MB online redo logs. Note that in cases where you want to add more logs, the same restrictions apply to naming physical files as they do for naming online redo logs.

Use the following procedures to add or drop redo logs: exec rdsadmin.rdsadmin_util.add_logfile(size bytes); exec rdsadmin.rdsadmin_util.drop_logfile(group#);

If you are using version 11.2.0.3.v1 or later, you can specify the size modifier as well. For example, the following command would add a 100 Mb log file: exec rdsadmin.rdsadmin_util.add_logfile('100M');

Example

The following example shows how you can use the Amazon RDS-provided procedures to resize your online redo logs from their default size to 512M.

# Start with four 128m logs.

SQL>select GROUP#, BYTES, STATUS from v$log;

GROUP# BYTES STATUS

---------- ---------- ----------------

1 134217728 INACTIVE

2 134217728 CURRENT

3 134217728 INACTIVE

4 134217728 INACTIVE

4 rows selected.

# Add four new logs with that are each 512m.

SQL>exec rdsadmin.rdsadmin_util.add_logfile(536870912);

PL/SQL procedure successfully completed.

SQL>exec rdsadmin.rdsadmin_util.add_logfile(536870912);

PL/SQL procedure successfully completed.

SQL>exec rdsadmin.rdsadmin_util.add_logfile(536870912);

PL/SQL procedure successfully completed.

SQL>exec rdsadmin.rdsadmin_util.add_logfile(536870912);

PL/SQL procedure successfully completed.

# Now query v$log to show that there are 8 logs:

SQL>select GROUP#, BYTES, STATUS from v$log;

GROUP# BYTES STATUS

API Version 2014-10-31

318

Amazon Relational Database Service User Guide

Adding, Dropping and Resizing Online Redo Logs

---------- ---------- ----------------

1 134217728 INACTIVE

2 134217728 CURRENT

3 134217728 INACTIVE

4 134217728 INACTIVE

5 536870912 UNUSED

6 536870912 UNUSED

7 536870912 UNUSED

8 536870912 UNUSED

8 rows selected.

# Now, drop each INACTIVE log using the group#.

SQL>exec rdsadmin.rdsadmin_util.drop_logfile(1);

PL/SQL procedure successfully completed.

SQL>exec rdsadmin.rdsadmin_util.drop_logfile(3);

PL/SQL procedure successfully completed.

SQL>exec rdsadmin.rdsadmin_util.drop_logfile(4);

PL/SQL procedure successfully completed.

#

SQL>select GROUP#, BYTES, STATUS from v$log;

GROUP# BYTES STATUS

---------- ---------- ----------------

2 134217728 CURRENT

5 536870912 UNUSED

6 536870912 UNUSED

7 536870912 UNUSED

8 536870912 UNUSED

8 rows selected.

# Switch logs so that group 2 is no longer current:

SQL>exec rdsadmin.rdsadmin_util.switch_logfile;

PL/SQL procedure successfully completed.

#

SQL>select GROUP#, BYTES, STATUS from v$log;

GROUP# BYTES STATUS

---------- ---------- ----------------

2 134217728 ACTIVE

5 536870912 CURRENT

6 536870912 UNUSED

7 536870912 UNUSED

8 536870912 UNUSED

5 rows selected.

API Version 2014-10-31

319

Amazon Relational Database Service User Guide

Setting Force Logging (for version 11.2.0.3.v1 and later)

# Issue a checkpoint to clear log 2

SQL>exec rdsadmin.rdsadmin_util.checkpoint;

PL/SQL procedure successfully completed.

#

SQL>select GROUP#, BYTES, STATUS from v$log;

GROUP# BYTES STATUS

---------- ---------- ----------------

2 134217728 INACTIVE

5 536870912 CURRENT

6 536870912 UNUSED

7 536870912 UNUSED

8 536870912 UNUSED

5 rows selected.

# Checkpointing clears log group 2 so that its status is now INACTIVE allowing

us to drop the final log group 2:

SQL>exec rdsadmin.rdsadmin_util.drop_logfile(2);

PL/SQL procedure successfully completed.

# Now, there are four 512m logs. Oracle using Oracle Managed Files (OMF) will automatically remove the old logfiles from the file system.

SQL>select GROUP#, BYTES, STATUS from v$log;

GROUP# BYTES STATUS

---------- ---------- ----------------

5 536870912 CURRENT

6 536870912 UNUSED

7 536870912 UNUSED

8 536870912 UNUSED

4 rows selected.

Setting Force Logging (for version 11.2.0.3.v1 and later)

The following Amazon RDS method puts the database in or removes the database from FORCE LOGGING mode. In FORCE LOGGING mode, Oracle logs all changes to the database except changes in temporary tablespaces and temporary segments. For more information about forcing logging, see the Oracle documentation .

Oracle Method Amazon RDS Method

alter database [no] force logging; exec rdsadmin.rdsadmin_util.force_logging(p_enable in boolean := true);

API Version 2014-10-31

320

Amazon Relational Database Service User Guide

Retaining Archived Redo Logs (for version 11.2.0.2.v7

and later)

Retaining Archived Redo Logs (for version

11.2.0.2.v7 and later)

You can retain archived redo logs on your DB instance for use with products like Oracle LogMiner

(DBMS_LOGMNR). Once you have retained the redo logs, you can use LogMiner to analyze the logs as explained in the Oracle documentation . Note that you need to ensure that the DB instance has enough allocated storage to store the retained logs.

Use the Amazon RDS method rdsadmin.rdsadmin_util.set_configuration to retain archived redo logs.

The following example shows how to retain 24 hours of redo logs: exec rdsadmin.rdsadmin_util.set_configuration('archivelog retention hours',24);

If you need to determine how much space your DB instance has used in the last X hours, you can run the following query, replacing X with the number of hours: select sum(blocks * block_size) bytes from v$archived_log

where first_time >=sysdate-X/24 and dest_id=1;

Setting Supplemental Logging (for version

11.2.0.3.v1 and later)

The following Amazon RDS method enables supplemental logging, including minimal supplemental logging. Oracle Database does not enable supplemental logging by default. Supplemental logging ensures that LogMiner and products that use LogMiner technology will have sufficient information to support chained rows and various storage arrangements such as cluster tables. For more information on supplemental logging, see the Oracle documentation .

Oracle Method Amazon RDS Method

alter database [add|drop] supplemental log; exec rdsadmin.rdsadmin_util.alter_supplemental_logging(p_action in varchar2, p_type in varchar2 default NULL); alter database add supplemental log data (PRIMARY KEY) columns; exec rdsadmin.rdsadmin_util.alter_supplemental_logging('ADD','PRIMARY KEY'); alter database add supplemental log data (ALL) columns; exec rdsadmin.rdsadmin_util.alter_supplemental_logging('ADD','ALL'); alter database add supplemental log data (UNIQUE) columns; exec rdsadmin.rdsadmin_util.alter_supplemental_logging('ADD','UNIQUE');

Creating and Resizing Tablespaces and Data Files

Amazon RDS only supports Oracle Managed Files (OMF) for data files, log files and control files. When creating data files and log files you cannot specify physical file names.

The following example creates a tablespace: create tablespace users2;

API Version 2014-10-31

321

Amazon Relational Database Service User Guide

Setting Default Tablespace

The following example creates temporary tablespace: create temporary tablespace temp01;

Because the Oracle

ALTER DATABASE

system privilege is not available on Amazon RDS, you must use

ALTER TABLESPACE

to resize a tablespace. The following example resizes a bigfile tablespace named users2 to 200 MB: alter tablespace users2 resize 200M;

For smallfile tablespaces, you need to add an additional datafile, like in the following example:

ALTER TABLESPACE users2 ADD DATAFILE SIZE 100000M AUTOEXTEND ON NEXT 250m MAXSIZE

UNLIMITED;

Setting Default Tablespace

Oracle Method

alter database default tablespace users2;

Amazon RDS Method

exec rdsadmin.rdsadmin_util.alter_default_tablespace('users2');

Setting Default Temporary Tablespace

Oracle Method Amazon RDS Method

alter database default temporary tablespace temp2; exec rdsadmin.rdsadmin_util.alter_default_temp_tablespace('temp2');

Checkpointing the Database

Oracle Method

alter system checkpoint;

Amazon RDS Method

exec rdsadmin.rdsadmin_util.checkpoint;

Setting Distributed Recovery (for version

11.2.0.3.v1 and later)

Oracle Method

alter system enable/disable distributed recovery;

Amazon RDS Method

exec rdsadmin.rdsadmin_util.enable_distr_recovery and rdsadmin_util.disable_distr_recovery

(mydatabase);

API Version 2014-10-31

322

Amazon Relational Database Service User Guide

Granting SELECT or EXECUTE privileges to SYS Objects

(for version 11.2.0.3.v1 and later)

Granting SELECT or EXECUTE privileges to SYS

Objects (for version 11.2.0.3.v1 and later)

Generally, you can use grant select_catalog_role

or grant execute_catalog_role

to grant privileges. If you need to grant privileges to a single object instead of using a role that may contain many objects, you can use the grant_sys_object

Amazon RDS method. The following procedure transfers existing privileges such as SELECT and EXECUTE via a role to another account. Note that it only grants privileges that the master account already has via a role or direct grant.

Oracle Method

grant select on V_$SESSION to myuser;

Amazon RDS Method

exec rdsadmin.rdsadmin_util.grant_sys_object('V_$SESSION','MYUSER');

In order to be able to grant privileges on an object, your account must have those privileges granted to it directly with the grant option or via a role granted using WITH ADMIN OPTION. In the most common case, you may want to grant SELECT on a DBA view that has been granted to the

SELECT_CATALOG_ROLE role. If that role isn't already directly granted to your user using WITH ADMIN

OPTION, then you won't be able to transfer the privilege. If you have the DBA privilege, then you can grant the role directly to another user.

For example, an initial grant for SELECT_CATALOG_ROLE and EXECUTE_CATALOG_ROLE could be:

GRANT SELECT_CATALOG_ROLE TO user1 WITH ADMIN OPTION;

GRANT EXECUTE_CATALOG_ROLE TO user1 WITH ADMIN OPTION;

In the previous example, since "WITH ADMIN OPTION," was used when granting "user1" access, "user1" will be able to grant access to SYS objects that have been granted to SELECT_CATALOG_ROLE.

Note that objects already granted to PUBLIC do not need to be re-granted, but if you use the grant_sys_object procedure to re-grant access the procedure will not fail. Note too that object names must be spelled exactly as they appear in DBA_OBJECTS (Most SYS objects are defined in UPPERCASE, so we recommend you try that first).

Setting the Database Time Zone

You can alter the time zone of a database in two ways, by either using the rdsadmin_util.alter_db_time_zone

command or by setting the

Oracle Time Zone (p. 307)

option.

The rdsadmin_util.alter_db_time_zone

command changes the time zone for only certain data types and does not change SYSDATE, and must be used with versions 11.2.0.2.v4 or later. The

Timezone option changes the time zone at the host level and impacts all date columns and values such as SYSDATE.

Oracle Method Amazon RDS Method

alter database set time_zone =

'+3:00'; exec rdsadmin.rdsadmin_util.alter_db_time_zone('+3:00');

After you alter the time zone, you must reboot the DB instance for the change to take effect.

There are additional restrictions on setting time zones listed in the Oracle documentation .

API Version 2014-10-31

323

Amazon Relational Database Service User Guide

Working with Automatic Workload Repository (AWR)

Working with Automatic Workload Repository

(AWR)

If you use Oracle Enterprise Edition and want to use Automatic Workload Repository (AWR), you can enable AWR by changing the

CONTROL_MANAGEMENT_PACK_ACCESS

parameter.

Oracle AWR includes several report generation scripts, such as awrrpt.sql, that are installed on the host server. Since you do not have access to host directories, you can download the scripts from Oracle or by generating them using Oracle Enterprise Manager (OEM) .

Adjusting Database Links for Use with DB

Instances in a VPC

To use Oracle database links with DB instances inside a VPC, the two instances must be either in the same VPC or you must create an EC2 or VPC security group that both DB instances are a member of.

For example, when using Oracle Data Pump and Oracle DBLinks to move data between DB instances, the instances must be members of the same VPC or EC2 security group or they must be in the same

VPC. For more information about using database links with Oracle Data Pump, see Oracle Data

Pump (p. 288)

Creating New Directories in the Main Data Storage

Space (for version 11.2.0.4.v1 and later)

A DB instance come with a set of directories; you can create additional directories using the following

Amazon RDS method. The create_directory()

method lets you create up to 10,000 directories, all located in your main data storage space. The following example uses the method to create a directory named "MY_DIR".

Oracle Method

create directory MY_DIR as

'/my/os/pathname';

Amazon RDS Method

exec rdsadmin.rdsadmin_util.create_directory('MY_DIR');

You can list the directories by querying the DBA_DIRECTORIES view. Note that the system chose the actual host pathname automatically: select * from DBA_DIRECTORIES where directory_name='MY_DIR'; select directory_path from DBA_DIRECTORIES where directory_name='MY_DIR';

DIRECTORY_PATH

----------------------------------------

/rdsdbdata/userdirs/01

The master user name for the DB instance has read and write privileges in the new directory, and can grant access to other users. Note that "execute" privileges are not available for directories on a DB instance. Directories are created in your main data storage space and will consume space and I/O bandwidth.

You can drop a directory that you created by using the Oracle drop directory

command. Dropping a directory does not remove its contents; because the create_directory()

method can reuse pathnames,

API Version 2014-10-31

324

Amazon Relational Database Service User Guide

Listing and Reading Files in a DB Instance Directory (for version 11.2.0.3.v1 and later)

files in dropped directories could appear in a newly created directory. Before you drop a directory, you should use UTL_FILE.FREMOVE to remove files from the directory.

Listing and Reading Files in a DB Instance

Directory (for version 11.2.0.3.v1 and later)

You can use the RDSADMIN.RDS_FILE_UTIL.LISTDIR() Amazon RDS method to list the files in any DB instance directory (from DBA_DIRECTORIES) that you have access to: select * from table(RDSADMIN.RDS_FILE_UTIL.LISTDIR('DATA_PUMP_DIR'));

If you find a text file that you want to read, you can use the

RDSADMIN.RDS_FILE_UTIL.READ_TEXT_FILE() Amazon RDS method. The following example reads the filename.log file in the DATA_PUMP_DIR directory: select * from table(RDSADMIN.RDS_FILE_UTIL.READ_TEXT_FILE('DATA_PUMP_DIR','fi lename.log'));

API Version 2014-10-31

325

Amazon Relational Database Service User Guide

Appendix: Using Oracle GoldenGate with Amazon RDS

Appendix: Using Oracle GoldenGate with

Amazon RDS

Oracle GoldenGate is used to collect, replicate, and manage transactional data between databases. It is a log-based change data capture (CDC) and replication software package used with Oracle databases for online transaction processing (OLTP) systems. GoldenGate creates trail files that contain the most recent changed data from the source database and then pushes these files to the target database. You can use Oracle GoldenGate with Amazon RDS for Active-Active database replication, zero-downtime migration and upgrades, disaster recovery, data protection, and in-region and cross-region replication.

Topics

Setting Up an Oracle GoldenGate Hub on EC2 (p. 329)

Setting Up a Source Database for Use with GoldenGate on Amazon RDS (p. 331)

Setting Up a Target Database for Use with GoldenGate on Amazon RDS (p. 335)

Working with Oracle GoldenGate's Extract and Replicat Utilities (p. 337)

Troubleshooting Issues When Using Oracle GoldenGate with Amazon RDS (p. 340)

The following are important points to know when working with Oracle GoldenGate on Amazon RDS:

• Oracle GoldenGate with Amazon RDS is available under the “Bring-your-own-license” model in all

AWS regions. You are responsible for the set up and management of GoldenGate on Amazon RDS.

• You can use GoldenGate on Amazon RDS with Oracle Database Standard Edition One (SE1), Standard

Edition (SE), and Enterprise Edition (EE).

• The Oracle database version must be version 11.2.0.3, 11.2.0.4, 12.1.0.1, or 12.1.0.2 and you must use Oracle GoldenGate version 11.2.1.

• Amazon RDS supports migration and replication across Oracle databases using Oracle GoldenGate.

We do not support nor prevent customers from migrating or replicating across heterogeneous databases.

• You can use GoldenGate on Amazon RDS Oracle DB instances that use Oracle Transparent Data

Encryption (TDE). Since trail files save data unencrypted by default, you should encrypt the pipeline between the source instance, the GoldenGate hub, and the target instance using sqlnet.ora

encryption. For more information on sqlnet.ora

encryption, see the Oracle documentation .

• Oracle GoldenGate DDL is not currently supported.

The Oracle GoldenGate architecture for use with Amazon RDS consists of three decoupled modules.

The source database can be either an on-premises Oracle database, an Oracle database on an EC2 instance, or an Oracle database on an Amazon RDS DB instance. Next, the GoldenGate hub, which moves transaction information from the source database to the target database, can be either an EC2 instance with Oracle Database 11.2.0.3 or 11.2.0.4 and with GoldenGate 11.2.1 installed, or an on-premises

Oracle installation. You can have more than one EC2 hub, and we recommend that you use two hubs if you are using GoldenGate for cross-region replication. Finally, the target database can be either on an

Amazon RDS DB instance, on an EC2 instance, or on an on-premises location.

Oracle GoldenGate on Amazon RDS supports the following common scenarios:

Scenario 1: An on-premises Oracle source database and on-premises Oracle GoldenGate hub, that provides data to a target Amazon RDS DB instance

API Version 2014-10-31

326

Amazon Relational Database Service User Guide

Appendix: Using Oracle GoldenGate with Amazon RDS

Scenario 2: An on-premises Oracle database that acts as the source database, connected to an Amazon

EC2 instance hub that provides data to a target Amazon RDS DB instance

Scenario 3: An Oracle database on an Amazon RDS DB instance that acts as the source database, connected to an Amazon EC2 instance hub that provides data to a target Amazon RDS DB instance

API Version 2014-10-31

327

Amazon Relational Database Service User Guide

Appendix: Using Oracle GoldenGate with Amazon RDS

Scenario 4: An Oracle database on an Amazon EC2 instance that acts as the source database, connected to an Amazon EC2 instance hub that provides data to a target Amazon RDS DB instance

Scenario 5: An Oracle database on an Amazon RDS DB instance connected to an Amazon EC2 instance hub in the same region, connected to an Amazon EC2 instance hub in a different region that provides data to the target Amazon RDS DB instance in the same region as the second EC2 instance hub.

API Version 2014-10-31

328

Amazon Relational Database Service User Guide

Setting Up an Oracle GoldenGate Hub on EC2

Note

Any issues that impact running Oracle GoldenGate on an on-premises environment will also impact running GoldenGate on AWS. We strongly recommend that you monitor the GoldenGate hub to ensure that Extract and Replicat are resumed if a failover occurs. Since the GoldenGate hub is run on an Amazon EC2 instance, Amazon RDS does not manage the GoldenGate hub and cannot ensure that it is running.

You can use GoldenGate using Amazon RDS to upgrade to major versions of Oracle. For example, you can use GoldenGate using Amazon RDS to upgrade from an Oracle version 8 on-premises database to an Oracle database running version 11.2.0.3 or 11.2.0.4 on an Amazon RDS DB instance.

To set up Oracle GoldenGate using Amazon RDS, you configure the hub on the EC2 instance, and then configure the source and target databases. The following steps show how to set up GoldenGate for use with Amazon RDS. Each step is explained in detail in the following sections:

Setting Up an Oracle GoldenGate Hub on EC2 (p. 329)

Setting Up a Source Database for Use with GoldenGate on Amazon RDS (p. 331)

Setting Up a Target Database for Use with GoldenGate on Amazon RDS (p. 335)

Working with Oracle GoldenGate's Extract and Replicat Utilities (p. 337)

Setting Up an Oracle GoldenGate Hub on EC2

There are several steps to creating an Oracle GoldenGate hub on an Amazon EC2 instance. First, you create an EC2 instance with a full installation of Oracle DBMS 11g version 11.2.0.3 or 11.2.0.4. The EC2 instance must also have Oracle GoldenGate 11.2.1 software installed, and you must have Oracle patch

13328193 installed. For more information about installing GoldenGate, see the Oracle documentation .

Since the EC2 instance that is serving as the GoldenGate hub stores and processes the transaction information from the source database into trail files, you must have enough allocated storage to store the trail files. You must also ensure that the EC2 instance has enough processing power to manage the amount of data being processed and enough memory to store the transaction information before it is written to the trail file.

API Version 2014-10-31

329

Amazon Relational Database Service User Guide

Setting Up an Oracle GoldenGate Hub on EC2

The following tasks set up a GoldenGate hub on an Amazon EC2 instance; each task is explained in detail in this section. The tasks include:

• Add an alias to the tnsname.ora file

• Create the GoldenGate subdirectories

• Update the GLOBALS parameter file

• Configure the mgr.prm file and start the manager

Add the following entry to the tnsname.ora file to create an alias. For more information on the tnsname.ora

file, see the Oracle documentation .

$ cat /example/config/tnsnames.ora

TEST=

(DESCRIPTION=

(ENABLE=BROKEN)

(ADDRESS_LIST=

(ADDRESS=(PROTOCOL=TCP)(HOST=goldengate-test.abcdef12345.us-west-

2.rds.amazonaws.com)(PORT=8200))

)

(CONNECT_DATA=

(SID=ORCL)

)

)

Next, create subdirectories in the GoldenGate directory using the EC2 command line shell and ggsci, the

GoldenGate command interpreter. The subdirectories are created under the gg directory and include directories for parameter, report, and checkpoint files.

prompt$ cd /gg prompt$ ./ggsci

GGSCI> CREATE SUBDIRS

Create a GLOBALS parameter file using the EC2 command line shell. Parameters that affect all GoldenGate processes are defined in the GLOBALS parameter file. The following example creates the necessary file: prompt$ cd $GGHOME prompt$ vi GLOBALS

CheckpointTable oggadm1.oggchkpt

The last step in setting up and configuring the GoldenGate hub is to configure the manager. Add the following lines to the mgr.prm file, then start the manager using ggsci:

PORT 8199

PurgeOldExtracts ./dirdat/*, UseCheckpoints, MINKEEPDAYS 5

GGSCI> start mgr

Once you have completed these steps, the GoldenGate hub is ready for use. Next, you set up the source and target databases.

API Version 2014-10-31

330

Amazon Relational Database Service User Guide

Setting Up a Source Database for Use with GoldenGate on Amazon RDS

Setting Up a Source Database for Use with

GoldenGate on Amazon RDS

There are several differences in the set up steps between a source database running Oracle version

11.2.0.3 and version 11.2.0.4. See the appropriate version for the correct set up steps.

Topics

For Source Databases Running Oracle 11.2.0.3 (p. 331)

For Source Databases Running Oracle 11.2.0.4 or Later (p. 333)

For Source Databases Running Oracle 11.2.0.3

The following tasks set up a source database running version 11.2.0.3 for use with GoldenGate; each task is explained in detail in this section. The tasks include:

• Set the compatible

parameter to 11.2.0.3.

• Enable supplemental logging.

• Set the retention period for archived redo logs for the GoldenGate source database.

• Create a GoldenGate user account on the source database.

• Grant the necessary privileges to the GoldenGate user.

The source database must have the compatible

parameter set to 11.2.0.3. If you are using an Oracle database on an Amazon RDS DB instance as the source database, you must have a parameter group with the compatible

parameter set to 11.2.0.3 associated with the DB instance. If you change the compatible

parameter in a parameter group associated with the DB instance, the change requires an instance reboot. You can use the following AWS CLI commands to create a new parameter group and set the compatible

parameter. Note that you must associate the new parameter group with the source

DB instance:

For Linux, OS X, or Unix: aws rds create-db-parameter-group \

--db-parameter-group-name

example-goldengate

\

--description "

Parameters to allow GoldenGate

" \

--db-parameter-group-family

oracle-ee-11.2

aws rds modify-db-parameter-group \

--db-parameter-group-name

example-goldengate

\

--parameters "name=

compatible

, value=

11.2.0.3

, method=

pending-reboot

" aws rds modify-db-instance \

--db-instance-identifier

example-test

\

--db-parameter-group-name

example-goldengate

\

--apply-immediately aws rds reboot-db-instance \

--db-instance-identifier

example-test

For Windows: aws rds create-db-parameter-group ^

--db-parameter-group-name

example-goldengate

^

API Version 2014-10-31

331

Amazon Relational Database Service User Guide

Setting Up a Source Database for Use with GoldenGate on Amazon RDS

--description "

Parameters to allow GoldenGate

" ^

--db-parameter-group-family

oracle-ee-11.2

aws rds modify-db-parameter-group ^

--db-parameter-group-name

example-goldengate

^

--parameters "name=

compatible

, value=

11.2.0.3

, method=

pending-reboot

" aws rds modify-db-instance ^

--db-instance-identifier

example-test

^

--db-parameter-group-name

example-goldengate

^

--apply-immediately aws rds reboot-db-instance ^

--db-instance-identifier

example-test

Always retain the parameter group with the compatible

parameter. If you restore an instance from a

DB snapshot, you must modify the restored instance to use the parameter group that has a matching or greater compatible

parameter value. This should be done as soon as possible after the restore action and will require a reboot of the instance.

The source database must have the supplemental logging parameter enabled. If you are using an Oracle database on an Amazon RDS DB instance as the source database, you can use the following Amazon

RDS procedures to enable supplemental logging: exec rdsadmin.rdsadmin_util.alter_supplemental_logging('ADD'); exec rdsadmin.rdsadmin_util.force_logging(true); exec rdsadmin.rdsadmin_util.switch_logfile;

The source database must also retain archived redo logs. For example, the following command sets the retention period for archived redo logs to 24 hours: exec rdsadmin.rdsadmin_util.set_configuration('archivelog retention hours',24);

The duration for log retention is specified in hours. The duration should exceed any potential downtime of the source instance or any potential communication/networking issues to the source instance, so that

Oracle GoldenGate can recover logs from the source instance as needed. The absolute minimum value required is one (1) hour of logs retained.

A log retention setting that is too small will result in the following message:

ERROR OGG-02028 Failed to attach to logmining server OGG$<extract_name> error

26927 - ORA-26927: altering an outbound server with a remote capture is not allowed.

Because these logs are retained on your DB instance, you need to ensure that you have enough storage available on your instance to accommodate the log files. To see how much space you have used in the last "X" hours, use the following query, replacing "X" with the number of hours.

select sum(blocks * block_size) bytes from v$archived_log

where next_time>=sysdate-X/24 and dest_id=1;

GoldenGate runs as a database user and must have the appropriate database privileges to access the redo and archive logs for the source database, so you must create a GoldenGate user account on the

API Version 2014-10-31

332

Amazon Relational Database Service User Guide

Setting Up a Source Database for Use with GoldenGate on Amazon RDS

source database. For more information about the permissions for a GoldenGate user account, see the sections 4, section 4.4, and table 4.1 in the Oracle documentation .

The following statements create a user account named oggadm1:

CREATE tablespace administrator;

CREATE USER oggadm1 IDENTIFIED BY "XXXXXX"

default tablespace ADMINISTRATOR temporary tablespace TEMP;

Finally, grant the necessary privileges to the GoldenGate user account. The following statements grant privileges to a user named oggadm1: grant create session, alter session to oggadm1; grant resource to oggadm1; grant select any dictionary to oggadm1; grant flashback any table to oggadm1; grant select any table to oggadm1; grant select_catalog_role to <RDS instance master username> with admin option; exec RDSADMIN.RDSADMIN_UTIL.GRANT_SYS_OBJECT ('DBA_CLUSTERS', 'OGGADM1'); grant execute on dbms_flashback to oggadm1; grant select on SYS.v_$database to oggadm1; grant alter any table to oggadm1;

EXEC DBMS_GOLDENGATE_AUTH.GRANT_ADMIN_PRIVILEGE (grantee=>'OGGADM1',

privilege_type=>'capture',

grant_select_privileges=>true,

do_grants=>TRUE);

For Source Databases Running Oracle 11.2.0.4 or Later

When your source database is running version 11.2.0.4 or later, there are three tasks you need to accomplish to set up a source database for use with GoldenGate:

• Set the compatible

parameter to 11.2.0.4 or later.

• Set the

ENABLE_GOLDENGATE_REPLICATION

parameter to True. This parameter turns on supplemental logging for the source database. If your source database is on an Amazon RDS DB instance, you must have a parameter group assigned to the DB instance with the

ENABLE_GOLDENGATE_REPLICATION parameter set to true. For more information about the

ENABLE_GOLDENGATE_REPLICATION

parameter, see the Oracle documentation .

• Set the retention period for archived redo logs for the GoldenGate source database.

• Create a GoldenGate user account on the source database.

• Grant the necessary privileges to the GoldenGate user.

The source database must have the compatible

parameter set to 11.2.0.4 or later. If you are using an

Oracle database on an Amazon RDS DB instance as the source database, you must have a parameter group with the compatible

parameter set to 11.2.0.4 or later associated with the DB instance. If you change the compatible

parameter in a parameter group associated with the DB instance, the change requires an instance reboot. You can use the following Amazon RDS CLI commands to create a new parameter group and set the compatible

parameter. Note that you must associate the new parameter group with the source DB instance:

For Linux, OS X, or Unix:

API Version 2014-10-31

333

Amazon Relational Database Service User Guide

Setting Up a Source Database for Use with GoldenGate on Amazon RDS

aws rds create-db-parameter-group \

--db-parameter-group-name

example-goldengate

\

--description

"Parameters to allow GoldenGate"

\

--db-parameter-group-family

oracle-ee-11.2

aws rds modify-db-parameter-group \

--db-parameter-group-name

example-goldengate

\

--parameters "name=compatible, value=11.2.0.4, method=pending-reboot" aws rds modify-db-instance \

--db-instance-identifier

example-test

\

--db-parameter-group-name

example-goldengate

\

--apply-immediately aws rds reboot-db-instance \

--db-instance-identifier

example-test

For Windows: aws rds create-db-parameter-group ^

--db-parameter-group-name

example-goldengate

^

--description

"Parameters to allow GoldenGate"

^

--db-parameter-group-family

oracle-ee-11.2

aws rds modify-db-parameter-group ^

--db-parameter-group-name

example-goldengate

^

--parameters "name=compatible, value=11.2.0.4, method=pending-reboot" aws rds modify-db-instance ^

--db-instance-identifier

example-test

^

--db-parameter-group-name

example-goldengate

^

--apply-immediately aws rds reboot-db-instance ^

--db-instance-identifier

example-test

Always retain the parameter group with the compatible

parameter. If you restore an instance from a

DB snapshot, you must modify the restored instance to use the parameter group that has a matching or greater compatible

parameter value. This should be done as soon as possible after the restore action and will require a reboot of the instance.

The

ENABLE_GOLDENGATE_REPLICATION

parameter, when set to True, turns on supplemental logging for the source database and configures the required GoldenGate permissions. If your source database is on an Amazon RDS DB instance, you must have a parameter group assigned to the DB instance with the

ENABLE_GOLDENGATE_REPLICATION

parameter set to true. For more information about the

ENABLE_GOLDENGATE_REPLICATION

parameter, see the Oracle documentation .

The source database must also retain archived redo logs. For example, the following command sets the retention period for archived redo logs to 24 hours: exec rdsadmin.rdsadmin_util.set_configuration('archivelog retention hours',24);

The duration for log retention is specified in hours. The duration should exceed any potential downtime of the source instance or any potential communication/networking issues to the source instance, so that

API Version 2014-10-31

334

Amazon Relational Database Service User Guide

Setting Up a Target Database for Use with GoldenGate on Amazon RDS

Oracle GoldenGate can recover logs from the source instance as needed. The absolute minimum value required is one (1) hour of logs retained.

A log retention setting that is too small will result in the following message:

ERROR OGG-02028 Failed to attach to logmining server OGG$<extract_name> error

26927 - ORA-26927: altering an outbound server with a remote capture is not allowed.

Because these logs are retained on your DB instance, you need to ensure that you have enough storage available on your instance to accommodate the log files. To see how much space you have used in the last "X" hours, use the following query, replacing "X" with the number of hours.

select sum(blocks * block_size) bytes from v$archived_log

where next_time>=sysdate-X/24 and dest_id=1;

GoldenGate runs as a database user and must have the appropriate database privileges to access the redo and archive logs for the source database, so you must create a GoldenGate user account on the source database. For more information about the permissions for a GoldenGate user account, see the sections 4, section 4.4, and table 4.1 in the Oracle documentation .

The following statements create a user account named oggadm1:

CREATE tablespace administrator;

CREATE USER oggadm1 IDENTIFIED BY "XXXXXX"

default tablespace ADMINISTRATOR temporary tablespace TEMP;

Finally, grant the necessary privileges to the GoldenGate user account. The following statements grant privileges to a user named oggadm1: grant create session, alter session to oggadm1; grant resource to oggadm1; grant select any dictionary to oggadm1; grant flashback any table to oggadm1; grant select any table to oggadm1; grant select_catalog_role to <RDS instance master username> with admin option; exec RDSADMIN.RDSADMIN_UTIL.GRANT_SYS_OBJECT ('DBA_CLUSTERS', 'OGGADM1'); grant execute on dbms_flashback to oggadm1; grant select on SYS.v_$database to oggadm1; grant alter any table to oggadm1;

EXEC DBMS_GOLDENGATE_AUTH.GRANT_ADMIN_PRIVILEGE (grantee=>'OGGADM1',

privilege_type=>'capture',

grant_select_privileges=>true,

do_grants=>TRUE);

Setting Up a Target Database for Use with

GoldenGate on Amazon RDS

Oracle has recently simplified the set up for using GoldenGate. For example, the configuration tasks to set up GoldenGate support for version 12.1.0.1 is the same as the configuration tasks to set up GoldenGate support for version 11.2.0.3. Similarly, the configuration tasks to set up GoldenGate support for version

12.1.0.2 is the same as the configuration tasks to set up GoldenGate support for version 11.2.0.4.

API Version 2014-10-31

335

Amazon Relational Database Service User Guide

Setting Up a Target Database for Use with GoldenGate on Amazon RDS

Target Databases Setup for Running GoldenGate on Oracle

11.2.0.3 or Oracle 12.1.0.1

The following tasks set up a target DB instance for use with GoldenGate:

• Set the compatible

parameter to 11.2.0.3 or later

• Create and manage a GoldenGate user account on the target database

• Grant the necessary privileges to the GoldenGate user

GoldenGate runs as a database user and must have the appropriate database privileges, so you must create a GoldenGate user account on the target database. The following statements create a user named

oggadm1: create tablespace administrator; create tablespace administrator_idx;

CREATE USER oggadm1 IDENTIFIED BY "XXXXXX"

default tablespace ADMINISTRATOR temporary tablespace TEMP; alter user oggadm1 quota unlimited on ADMINISTRATOR; alter user oggadm1 quota unlimited on ADMINISTRATOR_IDX;

Finally, grant the necessary privileges to the GoldenGate user account. The following statements grant privileges to a user named oggadm1: grant create session to oggadm1; grant alter session to oggadm1; grant CREATE CLUSTER to oggadm1; grant CREATE INDEXTYPE to oggadm1; grant CREATE OPERATOR to oggadm1; grant CREATE PROCEDURE to oggadm1; grant CREATE SEQUENCE to oggadm1; grant CREATE TABLE to oggadm1; grant CREATE TRIGGER to oggadm1; grant CREATE TYPE to oggadm1; grant select any dictionary to oggadm1; grant create any table to oggadm1; grant alter any table to oggadm1; grant lock any table to oggadm1; grant select any table to oggadm1; grant insert any table to oggadm1; grant update any table to oggadm1; grant delete any table to oggadm1;

EXEC DBMS_GOLDENGATE_AUTH.GRANT_ADMIN_PRIVILEGE

(grantee=>'OGGADM1',privilege_type=>'apply',

grant_select_privileges=>true, do_grants=>TRUE);

Target Databases Setup for Running GoldenGate on Oracle

11.2.0.4, Oracle 12.1.0.2 or Later

The following tasks set up a target DB instance for use with GoldenGate:

• Set the compatible

parameter to 11.2.0.4 or later

API Version 2014-10-31

336

Amazon Relational Database Service User Guide

Working with Oracle GoldenGate's Extract and Replicat

Utilities

• Set the ENABLE_GOLDENGATE_REPLICATION parameter to True. If your target database is on an

Amazon RDS DB instance, you must have a parameter group assigned to the DB instance with the

ENABLE_GOLDENGATE_REPLICATION parameter set to true. For more information about the

ENABLE_GOLDENGATE_REPLICATION parameter, see the Oracle documentation .

• Create and manage a GoldenGate user account on the target database

• Grant the necessary privileges to the GoldenGate user

GoldenGate runs as a database user and must have the appropriate database privileges, so you must create a GoldenGate user account on the target database. The following statements create a user named

oggadm1: create tablespace administrator; create tablespace administrator_idx;

CREATE USER oggadm1 IDENTIFIED BY "XXXXXX"

default tablespace ADMINISTRATOR

temporary tablespace TEMP; alter user oggadm1 quota unlimited on ADMINISTRATOR; alter user oggadm1 quota unlimited on ADMINISTRATOR_IDX;

Finally, grant the necessary privileges to the GoldenGate user account. The following statements grant privileges to a user named oggadm1: grant create session to oggadm1; grant alter session to oggadm1; grant CREATE CLUSTER to oggadm1; grant CREATE INDEXTYPE to oggadm1; grant CREATE OPERATOR to oggadm1; grant CREATE PROCEDURE to oggadm1; grant CREATE SEQUENCE to oggadm1; grant CREATE TABLE to oggadm1; grant CREATE TRIGGER to oggadm1; grant CREATE TYPE to oggadm1; grant select any dictionary to oggadm1; grant create any table to oggadm1; grant alter any table to oggadm1; grant lock any table to oggadm1; grant select any table to oggadm1; grant insert any table to oggadm1; grant update any table to oggadm1; grant delete any table to oggadm1;

EXEC DBMS_GOLDENGATE_AUTH.GRANT_ADMIN_PRIVILEGE

(grantee=>'OGGADM1',privilege_type=>'apply',

grant_select_privileges=>true, do_grants=>TRUE);

Working with Oracle GoldenGate's Extract and

Replicat Utilities

The Oracle GoldenGate utilities Extract and Replicat work together to keep the source and target databases in sync via incremental transaction replication using trail files. All changes that occur on the source database are automatically detected by Extract, then formatted and transferred to trail files on the

GoldenGate on-premises or EC2-instance hub. After initial load is completed, the data is read from these files and replicated to the target database by the Replicat utility.

API Version 2014-10-31

337

Amazon Relational Database Service User Guide

Working with Oracle GoldenGate's Extract and Replicat

Utilities

Running Oracle GoldenGate's Extract Utility

The Extract utility retrieves, converts, and outputs data from the source database to trail files. Extract queues transaction details to memory or to temporary disk storage. When the transaction is committed to the source database, Extract flushes all of the transaction details to a trail file for routing to the

GoldenGate on-premises or EC2-instance hub and then to the target database.

The following tasks enable and start the Extract utility:

• Configure the Extract parameter file on the GoldenGate hub (on-premises or EC2 instance). The following listing shows an example Extract parameter file.

EXTRACT EABC

SETENV (ORACLE_SID=ORCL)

SETENV (NLSLANG=AL32UTF8)

USERID [email protected], PASSWORD XXXXXX

EXTTRAIL /path/to/goldengate/dirdat/ab

IGNOREREPLICATES

GETAPPLOPS

TRANLOGOPTIONS EXCLUDEUSER OGGADM1

TABLE EXAMPLE.TABLE;

• On the GoldenGate hub, launch the GoldenGate command line interface (ggsci). Log into the source database. The following example shows the format for logging in:

dblogin userid <user>@<db tnsname>

• Add a checkpoint table for the database: add checkpointtable

• Add transdata to turn on supplemental logging for the database table: add trandata <user>.<table>

Alternatively, you can add transdata to turn on supplemental logging for all tables in the database: add trandata <user>.*

• Using the ggsci command line, enable the Extract utility using the following commands: add extract <extract name> tranlog, INTEGRATED tranlog, begin now add exttrail <path-to-trail-from-the param-file>

extract <extractname-from-paramfile>,

MEGABYTES Xm

• Register the Extract utility with the database so that the archive logs are not deleted. This allows you to recover old, uncommitted transactions if necessary. To register the Extract utility with the database, use the following command:

API Version 2014-10-31

338

Amazon Relational Database Service User Guide

Working with Oracle GoldenGate's Extract and Replicat

Utilities

register EXTRACT <extract process name>, DATABASE

• To start the Extract utility, use the following command: start <extract process name>

Running Oracle GoldenGate's Replicat Utility

The Replicat utility is used to "push" transaction information in the trail files to the target database.

The following tasks enable and start the Replicat utility:

• Configure the Replicat parameter file on the GoldenGate hub (on-premises or EC2 instance). The following listing shows an example Replicat parameter file.

REPLICAT RABC

SETENV (ORACLE_SID=ORCL)

SETENV (NLSLANG=AL32UTF8)

USERID [email protected], password XXXXXX

ASSUMETARGETDEFS

MAP EXAMPLE.TABLE, TARGET EXAMPLE.TABLE;

• Launch the GoldenGate command line interface (ggsci). Log into the target database. The following example shows the format for logging in:

dblogin userid <user>@<db tnsname>

• Using the ggsci command line, add a checkpoint table. Note that the user indicated should be the

GoldenGate user account, not the target table schema owner. The following example creates a checkpoint table named gg_checkpoint.

add checkpointtable <user>.gg_checkpoint

• To enable the replicat utility, use the following command: add replicat <replicat name> EXTTRAIL <extract trail file> CHECKPOINTTABLE

<user>.gg_checkpoint

• To start the replicat utility, use the following command: start <replicat name>

API Version 2014-10-31

339

Amazon Relational Database Service User Guide

Troubleshooting Issues When Using Oracle GoldenGate with Amazon RDS

Troubleshooting Issues When Using Oracle

GoldenGate with Amazon RDS

This section explains the most common issues when using GoldenGate with Amazon RDS.

Topics

Using GoldenGate with Amazon EC2 Instances (p. 340)

Log Retention (p. 340)

GoldenGate appears to be properly configured but replication is not working (p. 340)

Using GoldenGate with Amazon EC2 Instances

If you are using GoldenGate with an EC2 instance, the EC2 instance must have a full installation of Oracle

DBMS 11g version 11.2.0.4. The EC2 instance must also have Oracle GoldenGate 11.2.1 installed, and you must have Oracle patch 13328193 installed. If you do not have these items correctly installed, you will see this error message:

2014-03-06 07:09:21 ERROR OGG-02021 This database lacks the required librar ies to support integrated capture.

To determine what patches you currently have installed, run the command opatch lsinventory on your

EC2 instance.

Log Retention

You must have log retention enabled. If you do not, or if the retention value is too small, you will see the following message:

2014-03-06 06:17:27 ERROR OGG-00446 error 2 (No such file or directory) opening redo log /rdsdbdata/db/GGTEST3_A/onlinelog/o1_mf_2_9k4bp1n6_.log for sequence 1306Not able to establish initial position for begin time 2014-03-

06 06:16:55.

GoldenGate appears to be properly configured but replication is not working

For pre-existing tables, GoldenGate needs to be told which SCN it should work from. Take the following steps to fix this issue:

• Launch the GoldenGate command line interface (ggsci). Log into the source database. The following example shows the format for logging in: dblogin userid <user>@<db tnsname>

• Using the ggsci command line, set up the start SCN for the extract process. The following example sets the SCN to 223274 for the extract:

ALTER EXTRACT <extract process name> SCN 223274 start <extract process name>

API Version 2014-10-31

340

Amazon Relational Database Service User Guide

Troubleshooting Issues When Using Oracle GoldenGate with Amazon RDS

• Log into the target database. The following example shows the format for logging in: dblogin userid <user>@<db tnsname>

• Using the ggsci command line, set up the start SCN for the replicat process. The following example sets the SCN to 223274 for the replicat: start <replicat process name> atcsn 223274

API Version 2014-10-31

341

Amazon Relational Database Service User Guide

Appendix: Using AWS CloudHSM to Store Amazon RDS

Oracle TDE Keys

Appendix: Using AWS CloudHSM to Store

Amazon RDS Oracle TDE Keys

AWS CloudHSM is a service that lets you use a hardware appliance called a hardware security module

(HSM) that provides secure key storage and cryptographic operations. You can use AWS CloudHSM with an Oracle Enterprise Edition DB instance to store TDE keys when using Oracle Transparent Data

Encryption (TDE). You enable an Amazon RDS DB instance to use AWS CloudHSM by setting up an

HSM appliance, setting the proper permissions for cross-service access, and then setting up Amazon

RDS and the DB instance that will use AWS CloudHSM.

The number of Oracle databases you can support on a single CloudHSM partition will depend on the rotation schedule you choose for your data. You should rotate your keys as often as your data needs require. The PCI-DSS documentation and the National Institute of Standards and Technology (NIST) provide guidance on appropriate key rotation frequency.You can maintain approximately 10,000 symmetric master keys per CloudHSM device. Note that after key rotation the old master key remains on the partition and is still counted against the per-partition maximum.

AWS CloudHSM works with Amazon Virtual Private Cloud (Amazon VPC). An appliance is provisioned inside your VPC with a private IP address that you specify, providing simple and private network connectivity to your Amazon RDS DB instance.Your HSM appliances are dedicated exclusively to you and are isolated from other AWS customers. For more information about working with Amazon VPC and Amazon RDS,

see Amazon RDS and Amazon Virtual Private Cloud (VPC) (p. 114)

and Creating a DB Instance in a

VPC (p. 167)

.

Important

This document tells you how to install and use AWS CloudHSM with an Amazon RDS Oracle

DB instance that is using Oracle TDE encryption. Review the following availability and pricing information before you setup AWS CloudHSM:

• US East (N. Virginia), US West (Oregon), EU (Ireland), Asia Pacific (Sydney), EU (Frankfurt),

Asia Pacific (Singapore), AWS GovCloud (US), and Asia Pacific (Tokyo) regions.

• AWS CloudHSM pricing and free trial:

CloudHSM pricing information is available on the CloudHSM pricing page . If you want to try the CloudHSM service for free, please review the free trial page for more information.

• CloudHSM upfront fee refund (CLI Tools):

Please note that there is an upfront fee charged for each new CloudHSM instance you create using the create-hsm

CLI command. If you accidentally provision a CloudHSM device and want to request a refund, please delete the CloudHSM instance using the delete-hsm command, and then go to the AWS Support Center , create a new case, and then select

Account and Billing Support.

• CloudHSM upfront fee refund (API):

Please note that there is an upfront fee charged for each new CloudHSM instance you create using the

CreateHSM

API method. If you accidentally provision a CloudHSM device and want to request a refund, please delete the CloudHSM instance using the

DeleteHSM

API method, and then go to the AWS Support Center , create a new case, and then select Account and

Billing Support.

To use AWS CloudHSM with an Amazon RDS Oracle DB instance, you must complete the following tasks, which are explained in detail in the following sections:

Setting Up AWS CloudHSM to Work with Amazon RDS (p. 343)

Setting Up Amazon RDS to Work with AWS CloudHSM (p. 347)

API Version 2014-10-31

342

Amazon Relational Database Service User Guide

Setting Up AWS CloudHSM to Work with Amazon RDS

When you complete the entire setup, you should have the following AWS components.

• An AWS CloudHSM control instance that will communicate with the HSM appliance using port 22, and the AWS CloudHSM endpoint. The AWS CloudHSM control instance is an EC2 instance that is in the same VPC as the HSMs and is used to manage the HSMs.

• An Amazon RDS Oracle DB instance that will communicate with the Amazon RDS service endpoint, as well as the HSM appliance using port 1792.

Topics

Setting Up AWS CloudHSM to Work with Amazon RDS (p. 343)

Setting Up Amazon RDS to Work with AWS CloudHSM (p. 347)

Verifying the HSM Connection, the Oracle Keys in the HSM, and the TDE Key (p. 355)

Restoring Encrypted DB Instances (p. 356)

Managing a Multi-AZ Failover (p. 357)

Setting Up AWS CloudHSM to Work with Amazon

RDS

To use AWS CloudHSM with an Oracle DB instance using TDE, you must first complete the tasks required to setup AWS CloudHSM. The tasks are explained in detail in the following sections. These tasks include:

Topics

Completing the AWS CloudHSM Prerequisites (p. 344)

Installing the AWS CloudHSM Command Line Interface Tools (p. 344)

Configuring Your HSMs (p. 344)

Creating Your High-Availability Partition Group (p. 345)

API Version 2014-10-31

343

Amazon Relational Database Service User Guide

Setting Up AWS CloudHSM to Work with Amazon RDS

Password Worksheet (p. 346)

Completing the AWS CloudHSM Prerequisites

Follow the procedure in the Setting Up AWS CloudHSM section in the AWS CloudHSM User Guide to setup a AWS CloudHSM environment.

Installing the AWS CloudHSM Command Line Interface Tools

Follow the instructions in the Setting Up the AWS CloudHSM CLI Tools section in the AWS CloudHSM

User Guide to install the AWS CloudHSM command line interface tools on your AWS CloudHSM control instance.

Configuring Your HSMs

The recommended configuration for using AWS CloudHSM with Amazon RDS is to use three AWS

CloudHSM appliances configured into a high-availability (HA) partition group. A minimum of three HSMs are suggested for HA purposes. Even if two of your HSMs are unavailable, your keys will still be available to Amazon RDS.

Important

Initializing an HSM sets the password for the HSM security officer account (also known as the

HSM administrator). Record the security officer password on your

Password Worksheet (p. 346)

and do not lose it. We recommend that you print out a copy of the

Password Worksheet (p. 346)

, use it to record your AWS CloudHSM passwords, and store it in a secure place. We also recommended that you store at least one copy of this worksheet in secure off-site storage. AWS does not have the ability to recover your key material from an HSM for which you do not have the proper HSM security officer credentials.

To provision and initialize your HSMs using the AWS CloudHSM CLI tools, perform the following steps from your control instance:

1.

Following the instructions in the Creating Your HSMs with the CLI section in the AWS CloudHSM

Command Line Interface Tools Reference, provision the number of HSMs you need for your configuration. When you provision your HSMs, make note of the ARN of each HSM because you will need these to initialize your HSMs and create your high-availability partition group.

2.

Following the instructions in the Initializing Your HSMs section in the AWS CloudHSM Command

Line Interface Tools Reference, initialize each of your HSMs.

API Version 2014-10-31

344

Amazon Relational Database Service User Guide

Setting Up AWS CloudHSM to Work with Amazon RDS

Creating Your High-Availability Partition Group

After your HSMs are initialized, create an HA partition group with the initialized HSMs. Creating an HA partition group is a three-step process. You create the HA partition group, add your HSMs to the HA partition group, and register the clients for use with the HA partition group.

To create and initialize an HA partition group

1.

Following the instructions in the Create the HA Partition Group section in the AWS CloudHSM

Command Line Interface Tools Reference, create your HA partition group. Save the HA partition group ARN returned from the create-hapg command for later use.

Save the partition password on your

Password Worksheet (p. 346)

.

2.

Following the instructions in the Registering a Client with a High-Availability Partition Group section in the AWS CloudHSM Command Line Interface Tools Reference, create, register, and assign the clients to be used with your HA partition group.

Repeat this process to add additional partitions if necessary. One partition can support multiple Oracle databases.

API Version 2014-10-31

345

Amazon Relational Database Service User Guide

Setting Up AWS CloudHSM to Work with Amazon RDS

Password Worksheet

Use the following worksheet to compile information for your AWS CloudHSM appliances. Print this page and use it to record your AWS CloudHSM passwords, and store it in a secure place. We also recommended that you store at least one copy of this worksheet in secure off-site storage.

Security Officer Password

This password was set when you initialized the HSM appliance.

_________________________________________________

Manager Password (Optional)

This password was optionally set with the user password manager command on the HSM appliance.

_________________________________________________

Partition Passwords

Partition Label Partition Password Cloning Domain

API Version 2014-10-31

346

Amazon Relational Database Service User Guide

Setting Up Amazon RDS to Work with AWS CloudHSM

Setting Up Amazon RDS to Work with AWS

CloudHSM

To use AWS CloudHSM with an Oracle DB instance using Oracle TDE, you must do the following tasks:

• Ensure that the security group associated with the Oracle DB instance allows access to the HSM port

1792.

• Create a DB subnet group that uses the same subnets as those in the VPC used by your HSMs, and then assign that DB subnet group to your Oracle DB instance.

• Set up the Amazon RDS CLI.

• Add IAM permissions for Amazon RDS to use when accessing AWS CloudHSM.

• Add the TDE_HSM option to the option group associated with your Oracle DB instance using the

Amazon RDS CLI.

• Add two new DB instance parameters to the Oracle DB instance that will use AWS CloudHSM. The tde-credential-arn

parameter is the Amazon Resource Number (ARN) of the high-availability

(HA) partition group returned from the create-hapg

command. The tde-credential-password is the partition password you used when you initialized the HA partition group.

The Amazon RDS CLI documentation can be found at What Is the AWS Command Line Interface?

and the section Getting Set Up with the AWS Command Line Interface . General instructions on using the

AWS CLI can be found at Using the AWS Command Line Interface .

The following sections show you how to set up the Amazon RDS CLI, add the required permissions for

RDS to access your HSMs, create an option group with the TDE_HSM option, and how to create or modify a DB instance that will use the TDE_HSM option.

Security Group

To allow the RDS instance to communicate with the HSM, the security group ENI assigned to the HSM appliance must authorize ingress connectivity on TCP port 1792 from the DB instance. Additionally, the

Network ACL associated with the HSM's ENI must permit ingress TCP port 1792 from the RDS instance, and egress connections from the HSM to the Dynamic Port range on the RDS instance. For more information about the Dynamic TCP Port range, please see the Amazon VPC documentation .

If you used the AWS CloudFormation template to create your AWS CloudHSM environment, modify the security group that has

Allows SSH and NTLS from the public subnet

for the description. If you didn't use the AWS CloudFormation template, modify the security group associated with the ENI assigned to the HSM appliance.

DB Subnet Group

The DB subnet group that you assign to your Oracle DB instance must have the same subnets as those in the VPC used by the CloudHSM. For information about how to create a DB subnet group, see Creating a DB Subnet Group , or you can use the AWS CLI create-db-subnet-group command to create the DB subnet group.

Setting Up the Amazon RDS CLI

The Amazon RDS CLI can be installed on a computer running the Linux or Windows operating system and that has Java version 1.6 or higher installed.

The following steps install and configure the Amazon RDS CLI:

1. Download the Amazon RDS CLI from here . Unzip the file.

API Version 2014-10-31

347

Amazon Relational Database Service User Guide

Setting Up Amazon RDS to Work with AWS CloudHSM

2. Set the following environment variables:

AWS_RDS_HOME - <The directory where the deployment files were copied to>

JAVA_HOME - <Java Installation home directory>

You can check that the environment variables are set correctly by running the following command for

Linux or Windows should list describe-db-instances

and other AWS CLI commands.

For Linux, OS X, or Unix: ls ${AWS_RDS_HOME}/bin

For Windows: dir %AWS_RDS_HOME%\bin

3. Add

${AWS_RDS_HOME}/bin

(Linux) or

%AWS_RDS_HOME%\bin

(Windows) to your path

4. Add the RDS service URL information for your AWS region to your shell configuration. For example: export RDS_URL=https://rds.us-east-1.amazonaws.com

export SERVICE_SIG_NAME=rds

5. If you are on a Linux system, set execute permissions on all files in the bin directory using the following command: chmod +x ${AWS_RDS_HOME}/bin/*

6. Provide the Amazon RDS CLI with your AWS user credentials. There are two ways you can provide credentials: AWS keys, or using X.509 certificates.

If you are using AWS keys, do the following: a. Edit the credential file included in the zip file, ${AWS_RDS_HOME}/credential-file-path.template, to add your AWS credentials. If you are on a Linux system, limit permissions to the owner of the credential file:

$ chmod 600

<credential file>

b. Alternatively, you can provide the following option with every command: aws rds

<AWSCLIcommand>

--aws-credential-file

<credential file>

c. Or you can explicitly specify credentials on the command line: --I ACCESS_KEY --S SECRET_KEY

If you are using X.509 certifications, do the following: a. Save your certificate and private keys to files: e.g. my-cert.pem and my-pk.pem.

b. Set the following environment variables:

EC2_CERT=

<path_to_my_cert>

EC2_PRIVATE_KEY=

<path_to_my_private_key>

API Version 2014-10-31

348

Amazon Relational Database Service User Guide

Setting Up Amazon RDS to Work with AWS CloudHSM

c. Or you can specify the files directly on command-line for every command:

For Linux, OS X, or Unix: aws rds

<AWSCLIcommand>

\

--ec2-cert-file-path

<path_to_my_cert>

\

--ec2-private-key-file-path

<path_to_my_private_key>

For Windows: aws rds

<AWSCLIcommand>

^

--ec2-cert-file-path

<path_to_my_cert>

^

--ec2-private-key-file-path

<path_to_my_private_key>

You can test that you have set up the AWS CLI correct by running the following commands. The first command should output the usage page for all Amazon RDS commands. The second command should output information on all DB instances for the account you are using.

aws rds --help aws rds describe-db-instances --headers

Adding IAM Permissions for Amazon RDS to Access the

AWS CloudHSM

You can use a single AWS account to work with Amazon RDS and AWS CloudHSM or you can use two separate accounts, one for Amazon RDS and one for AWS CloudHSM. This section provides information on both processes.

Topics

Adding IAM Permissions for a Single Account for Amazon RDS to Access the AWS CloudHSM

API (p. 349)

Using Separate AWS CloudHSM and Amazon RDS Accounts for Amazon RDS to Access

CloudHSM (p. 350)

Adding IAM Permissions for a Single Account for Amazon RDS to Access the AWS CloudHSM API

To create a IAM role that Amazon RDS uses to access the AWS CloudHSM API, use the following procedure. Amazon RDS checks for the presence of this IAM role when you create or modify a DB instance that uses AWS CloudHSM.

To create a IAM role for Amazon RDS to access the AWS CloudHSM API

1.

Open the IAM Console at https://console.aws.amazon.com

.

2.

In the left navigation pane, click Roles.

3.

Click Create New Role.

4.

In the Role Name text box, type

RDSCloudHsmAuthorization

. Currently, you must use this name.

Click Next Step.

5.

Click AWS Service Roles, scroll to Amazon RDS, choose Select.

6.

On the Attach Policy page, click Next Step. The correct policy is already attached to this role.

API Version 2014-10-31

349

Amazon Relational Database Service User Guide

Setting Up Amazon RDS to Work with AWS CloudHSM

7.

Review the information and then click Create Role.

Using Separate AWS CloudHSM and Amazon RDS Accounts for Amazon

RDS to Access CloudHSM

If you want to separately manage your AWS CloudHSM and Amazon RDS resources, you can use the two services with separate accounts. To use two different accounts, you must set up each account as described in the following section.

To use two accounts, you must have the following:

• An account that is enabled for the AWS CloudHSM service and that is the owner of your hardware security module (HSM) devices. Generally, this account is your CloudHSM account, with a customer

ID of HSM_ACCOUNT_ID.

• An account for Amazon RDS that you can use to create and manage a DB instance that uses Oracle

TDE. Generally, this account is your DB account, with a customer ID DB_ACCOUNT_ID.

To add DB account permission to access CloudHSM resources under the CloudHSM account

1.

Open the IAM Console at https://console.aws.amazon.com/ .

2.

Log in using your DB account.

3.

In the left navigation pane, choose Roles.

4.

Choose Create New Role.

5.

For Role Name, type

RDSCloudHsmAssumeAuthorization

. Currently, you must use this role name for this approach to work. Choose Next Step.

6.

Choose AWS Service Roles, scroll to Amazon RDS, choose Select.

7.

On the Attach Policy page, do not attach a policy. Choose Next Step.

8.

Review the information, and then choose Create Role.

9.

For Roles, choose the RDSCloudHsmAssumeAuthorization role.

10. For Permissions, choose Inline Policies. Text appears that provides a link; click click here.

11. On the Set Permissions page, choose Custom Policy, then choose Select.

12. For Policy Name, type

AssumeRole

.

13. For Policy Document, type the following policy information:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"sts:AssumeRole"

],

"Resource": "*"

}

]

}

14. Choose Apply Policy, and then log out of your DB account.

API Version 2014-10-31

350

Amazon Relational Database Service User Guide

Setting Up Amazon RDS to Work with AWS CloudHSM

To revise the CloudHSM HSM account to trust permission to access CloudHSM resources under the CloudHSM account

1.

Open the IAM Console at https://console.aws.amazon.com/ .

2.

Log in using your CloudHSM account.

3.

In the left navigation pane, choose Roles.

4.

Choose the RDSCloudHsmAuthorization role. This role is the one created for a single account

CloudHSM-RDS.

5.

Choose Edit Trust Relationship.

6.

Add your DB account as a trusted account. The policy document should look like the following, with your DB account replacing the <DB_ACCOUNT_ID> placeholder:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "",

"Effect": "Allow",

"Principal": {

"Service": "rds.amazonaws.com",

"AWS":[ "arn:aws:iam::$<DB_ACCOUNT_ID>$:role/RDSCloudHsmAssumeAu thorization"

]

},

"Action": "sts:AssumeRole"

}

]

}

7.

Choose Update Trust Policy.

Creating an Amazon VPC Using the DB Account That Can Connect to Your HSM

HSM appliances are provisioned into an HSM-specific Amazon VPC. By default, only hosts inside the

HSM VPC can see the HSM devices. Thus, all DB instances need to be created inside the HSM VPC or in a VPC that can be linked to the HSM VPC using VPC peering.

To use CloudHSM with an Amazon RDS DB instance in a different VPC (which you create under your

DB account, as described in

Creating a DB Instance in a VPC (p. 167)

), you set up VPC peering from the

VPC containing the DB instance to the HSM-specific VPC that contains your HSM appliances.

To set up VPC peering between the two VPCs

1.

Use an existing VPC created under your DB account, or create a new VPC using your DB account.

The VPC should not have any CIDR ranges that overlap with the CIDR ranges of the HSM-specific

VPC.

2.

Perform VPC peering between the DB VPC and the HSM VPC. For instructions, go to VPC Peering in the Amazon Virtual Private Cloud User Guide.

3.

Ensure that the VPC routing table is correctly associated with the VPC subnet and the VPC security group on the HSM network interface.

Note that you must configure both VPCs' routing tables so that network traffic goes to the correct VPC

(from the DB VPC to the HSM VPC, and from the HSM VPC to the DB VPC). The two VPCs don’t need

API Version 2014-10-31

351

Amazon Relational Database Service User Guide

Setting Up Amazon RDS to Work with AWS CloudHSM

to share the same security group, though the security groups must not prevent network traffic between the two VPCs.

Creating an Option Group with the TDE_HSM Option

The TDE_HSM option can be added to an existing option group just like other Oracle options, or you can create a new option group and add the TDE_HSM option. The following Amazon RDS CLI example creates an option group for Oracle Enterprise Edition 11.2 named tdehsm-option-group.

For Linux, OS X, or Unix: aws rds create-option-group \

--option-group-name

tdehsm-option-group

\

--option-group-description

"Option Group with TDE_HSM"

\

--engine-name

oracle-ee

\

--major-engine-version

11.2

For Windows: aws rds create-option-group ^

--option-group-name

tdehsm-option-group

^

--option-group-description

"Option Group with TDE_HSM"

^

--engine-name

oracle-ee

^

--major-engine-version

11.2

The output of the command should appear similar to the following example:

OPTIONGROUP tdehsm-option-group oracle-ee 11.2 Option Group with TDE_HSM n

Once the option group has been created, you can use the following command to add the TDE_HSM option to the option group.

For Linux, OS X, or Unix: aws rds add-option-to-option-group \

--option-group-name

tdehsm-option-group

\

--option-name TDE_HSM

For Windows: aws rds add-option-to-option-group ^

--option-group-name

tdehsm-option-group

^

--option-name TDE_HSM

The output of the command should appear similar to the following example:

OPTION TDE_HSM y n Oracle Advanced Security - TDE with HSM

API Version 2014-10-31

352

Amazon Relational Database Service User Guide

Setting Up Amazon RDS to Work with AWS CloudHSM

Adding the AWS CloudHSM Parameters to an Oracle DB

Instance

An Oracle Enterprise Edition DB instance that uses AWS CloudHSM must have two new parameters added to the DB instance. The tde-credential-arn

and tde-credential-password

parameters are new parameters you must include when creating a new DB instance or when modifying an existing

DB instance to use AWS CloudHSM.

Creating a New Oracle DB Instance with Additional Parameters for AWS

CloudHSM

When creating a new DB instance to use with AWS CloudHSM, there are several requirements:

• You must include the option group that contains the TDE_HSM option

• You must provide values for the tde-credential-arn

and tde-credential-password

parameters.

The tde-credential-arn

parameter value is the Amazon Resource Number (ARN) of the HA partition group returned from the create-hapg

command. You can also retrieve the ARNs of all of your high-availability partition groups with the list-hapgs

command.

The tde-credential-password

is the partition password you used when you initialized the HA partition group.

• The IAM Role that provides cross-service access must be created.

• You must create an Oracle Enterprise Edition DB instance.

The following command creates a new Oracle Enterprise Edition DB instance called HsmInstance-test01 that includes the two parameters that provide AWS CloudHSM access and uses an option group called

tdehsm-option-group.

For Linux, OS X, or Unix: aws rds create-db-instance \

--db-instance-identifier

HsmInstance-test01

\

--db-instance-class

<instance class>

\

--engine

oracle-ee

\

--tde-credential-arn

<ha partition group ARN>

\

--tde-credential-password

<partition password>

\

--db-name

<Oracle DB instance name>

\

--db-subnet-group-name

<subnet group name>

\

--connection-timeout

<connection timeout value>

\

--master-user-password

<master user password>

\

--master-username

<master user name>

\

--allocated-storage

<storage value>

\

--option-group-name

<TDE option group>

For Windows: aws rds create-db-instance ^

--db-instance-identifier

HsmInstance-test01

^

--db-instance-class

<instance class>

^

--engine

oracle-ee

^

--tde-credential-arn

<ha partition group ARN>

^

--tde-credential-password

<partition password>

^

--db-name

<Oracle DB instance name>

^

--db-subnet-group-name

<subnet group name>

^

API Version 2014-10-31

353

Amazon Relational Database Service User Guide

Setting Up Amazon RDS to Work with AWS CloudHSM

--connection-timeout

<connection timeout value>

^

--master-user-password

<master user password>

^

--master-username

<master user name>

^

--allocated-storage

<storage value>

^

--option-group-name

<TDE option group>

The output of the command should appear similar to the following example:

DBINSTANCE hsminstance-test01 db.m1.medium oracle-ee 40 fooooo creating

1 **** n 11.2.0.2.v7 bring-your-own-license AL52UTF8 n

VPCSECGROUP sg-922xvc2fd active

SUBNETGROUP dev-test test group Complete vpc-3facfe54

SUBNET subnet-1fd6a337 us-east-1e Active

SUBNET subnet-28aeff43 us-east-1c Active

SUBNET subnet-5daeff36 us-east-1b Active

SUBNET subnet-2caeff47 us-east-1d Active

PARAMGRP default.oracle-ee-11.2 in-sync

OPTIONGROUP tdehsm-option-group pending-apply

Modifying an Existing DB Instance to Add Parameters for AWS CloudHSM

The following command modifies an existing Oracle Enterprise Edition DB instance and adds the tde-credential-arn

and tde-credential-password

parameters. Note that you must also include in the command the option group that contains the TDE_HSM option.

For Linux, OS X, or Unix: aws rds modify-db-instance \

--db-instance-identifier

hsm03

\

--tde-credential-arn

<ha partition group ARN>

\

--tde-credential-password

<partition password>

\

--option-group

<tde hsm option group>

\

--apply-immediately

For Windows: aws rds modify-db-instance ^

--db-instance-identifier

hsm03

^

--tde-credential-arn

<ha partition group ARN>

^

--tde-credential-password

<partition password>

^

--option-group

<tde hsm option group>

^

--apply-immediately

The output of the command should appear similar to the following example:

DBINSTANCE hsm03 2014-04-03T18:48:53.106Z db.m1.medium oracle-ee 40 fooooo

available hsm03.c1iibpgwvdfo.us-east-1.rds.amazonaws.com 1521 us-east-1e 1 n 11.2.0.2.v7 bring-your-own-license AL32UTF8 n

VPCSECGROUP sg-922dc2fd active

SUBNETGROUP dev-test test group Complete vpc-3faffe54

SUBNET subnet-1fd6a337 us-east-1e Active

SUBNET subnet-28aeff43 us-east-1c Active

API Version 2014-10-31

354

Amazon Relational Database Service User Guide

Verifying the HSM Connection, the Oracle Keys in the

HSM, and the TDE Key

SUBNET subnet-5daeff36 us-east-1b Active

SUBNET subnet-2caeff47 us-east-1d Active

PARAMGRP default.oracle-ee-11.2 in-sync

OPTIONGROUP tdehsm-option-group pending-apply

OPTIONGROUP default:oracle-ee-11-2 pending-removal

Verifying the HSM Connection, the Oracle Keys in the HSM, and the TDE Key

Once you have completed all the set up steps, you can verify the HSM is working properly for TDE key storage. Connect to the Oracle DB instance using a SQL utility such as sqlplus on a client computer or from the EC2 control instance if it has sqlplus installed. For more information on connecting to an Oracle

DB instance, see Connecting to a DB Instance Running the Oracle Database Engine .

Note

Before you continue, you must verify that the option group that you created for your Oracle instance returns a status of in-sync

. You can verify this passing the DB instance identifier to the describe-db-instances

command.

Verifying the HSM Connection

You can verify the connection between an Oracle DB instance and the HSM. Connect to the Oracle DB instance and use the following command:

$ select * from v$encryption_wallet;

If the HSM connection is working, the command should return a status of OPEN. The output of the command will be similar to the following example:

WRL_TYPE

--------------------

WRL_PARAMETER

-------------------

STATUS

------------------

HSM

OPEN

1 row selected.

Verifying the Oracle Keys in the HSM

Once Amazon RDS starts and Oracle is running, Oracle creates two master keys on the HSM. Do the following steps to confirm the existence of the master keys in the HSM. You can run these commands from the prompt on the EC2 control instance or from the Amazon RDS Oracle DB instance.

1. Use SSH to connect to the HSM appliance. The following command

$ ssh [email protected]

2. Log in to the HSM as the HSM manager

API Version 2014-10-31

355

Amazon Relational Database Service User Guide

Restoring Encrypted DB Instances

$ hsm login

3. Once you have successfully logged in, the Luna Shell prompt appears ([hostname]lunash:>). Display the contents of the HSM partition that corresponds to the Oracle DB instance using TDE. Look for two symmetric key objects that begin with "ORACLE.TDE.HSM." lunash:>part showContents -par

<hapg_label>

-password

<partition_password>

The following output is an example of the information returned from the command:

Partition Name: hapg_label

Partition SN: 154749011

Storage (Bytes): Total=102701, Used=348, Free=102353

Number objects: 2

Object Label: ORACLE.TDE.HSM.MK.0699468E1DC88E4F27BF426176B94D4907

Object Type: Symmetric Key

Object Label: ORACLE.TSE.HSM.MK.0784B1918AB6C19483189B2296FAE261C70203

Object Type: Symmetric Key

Command Result : 0 (Success)

Verifying the TDE Key

The final step to verifying that the TDE key is correctly stored in the HSM is to create an encrypted tablespace. The following commands creates an encrypted tablespace and shows that it is encrypted.

SQL> create tablespace encrypted_ts datafile size 50M encryption using 'AES128' default storage (encrypt)

/

SQL> select tablespace_Name, encrypted from dba_tablespaces where encrypted='YES'

The following sample output shows that the tablespace was encrypted:

TABLESPACE_NAME ENC

------------------------------ ---

ENCRYPTED_TS YES

Restoring Encrypted DB Instances

To restore an encrypted Oracle DB instance, you can use your existing AWS CloudHSM HA partition group or create a new HA partition group and copy the contents from the original partition group to the new partition group. Please update the SafeNet client on your HSM control instance if you would like to use your existing HA partition group. Then use the restore-db-instance-from-db-snapshot command to restore the DB instance.

To restore the instance, perform the following procedure:

API Version 2014-10-31

356

Amazon Relational Database Service User Guide

Managing a Multi-AZ Failover

1.

On your AWS CloudHSM control instance, create a new HA partition group as shown in Creating

Your High-Availability Partition Group (p. 345)

. When you create the new HA partition group, you must specify the same partition password as the original HA partition group. Make a note of the ARN of the new HA partition group, which you will need in the next two steps.

2.

On your AWS CloudHSM control instance, clone the contents of the existing HA partition group to the new HA partition group with the clone-hapg command.

For Linux, OS X, or Unix: cloudhsm clone-hapg --conf_file ~/cloudhsm.conf \

--src-hapg-arn

<src_arn>

\

--dest-hapg-arn

<dest_arn>

\

--client-arn

<client_arn>

\

--partition-password

<partition_password>

For Windows: cloudhsm clone-hapg --conf_file ~/cloudhsm.conf ^

--src-hapg-arn

<src_arn>

^

--dest-hapg-arn

<dest_arn>

^

--client-arn

<client_arn>

^

--partition-password

<partition_password>

The parameters are as follows:

<src_arn>

The identifier of the existing HA partition group.

<dest_arn>

The identifier of the new HA partition group created in the previous step.

<client_arn>

The identifier of the HSM client.

<partition_password>

The password for the member partitions. Both HA partition groups must have the same partition password.

3.

Use the restore-db-instance-from-db-snapshot command to restore the DB instance. In the restore command, pass the ARN of the new HA partition group in the

tde-credential-arn

parameter, and the partition password for the HA partition group in the

tde-credential-password

parameter.

Managing a Multi-AZ Failover

You do not need to set up a AWS CloudHSM HA partition group for your standby DB instance if you are using a Multi-AZ deployment. In fact, the details of a failover are handled automatically for you. During a failover, the standby instance becomes the new primary instance and the HSM continues to work with the new primary instance.

API Version 2014-10-31

357

Amazon Relational Database Service User Guide

Appendix: Oracle Character Sets Supported in Amazon

RDS

Appendix: Oracle Character Sets Supported in

Amazon RDS

The following table lists the Oracle database character sets that are supported in Amazon RDS. You can use a value from this page with the

--character-set-name

parameter of the AWS CLI

create-db-instance command or with the

CharacterSetName

parameter of the

CreateDBInstance

API action.

Setting the NLS_LANG environment parameter is the simplest way to specify locale behavior for Oracle software. This parameter sets the language and territory used by the client application and the database server. It also indicates the client's character set, which corresponds to the character set for data entered or displayed by a client application. Amazon RDS lets you set the character set when you create a DB instance. For more information on the NLS_LANG and character sets, see What is a Character set or

Code Page? in the Oracle documentation.

Value

AL32UTF8

AR8ISO8859P6

AR8MSWIN1256

BLT8ISO8859P13

BLT8MSWIN1257

CL8ISO8859P5

CL8MSWIN1251

EE8ISO8859P2

EL8ISO8859P7

EE8MSWIN1250

EL8MSWIN1253

IW8ISO8859P8

IW8MSWIN1255

JA16EUC

JA16EUCTILDE

JA16SJIS

JA16SJISTILDE

KO16MSWIN949

Description

Unicode 5.0 UTF-8 Universal character set (default)

ISO 8859-6 Latin/Arabic

Microsoft Windows Code Page 1256 8-bit Latin/Arabic

ISO 8859-13 Baltic

Microsoft Windows Code Page 1257 8-bit Baltic

ISO 88559-5 Latin/Cyrillic

Microsoft Windows Code Page 1251 8-bit Latin/Cyrillic

ISO 8859-2 East European

ISO 8859-7 Latin/Greek

Microsoft Windows Code Page 1250 8-bit East

European

Microsoft Windows Code Page 1253 8-bit Latin/Greek

ISO 8859-8 Latin/Hebrew

Microsoft Windows Code Page 1255 8-bit Latin/Hebrew

EUC 24-bit Japanese

Same as JA16EUC except for mapping of wave dash and tilde to and from Unicode

Shift-JIS 16-bit Japanese

Same as JA16SJIS except for mapping of wave dash and tilde to and from Unicode

Microsoft Windows Code Page 949 Korean

API Version 2014-10-31

358

Value

NE8ISO8859P10

NEE8ISO8859P4

TH8TISASCII

TR8MSWIN1254

US7ASCII

UTF8

WE8ISO8859P1

WE8ISO8859P15

WE8ISO8859P9

WE8MSWIN1252

ZHS16GBK

ZHT16HKSCS

ZHT32EUC

Amazon Relational Database Service User Guide

Appendix: Oracle Character Sets Supported in Amazon

RDS

VN8MSWIN1258

ZHT16MSWIN950

Description

ISO 8859-10 North European

ISO 8859-4 North and Northeast European

Thai Industrial Standard 620-2533-ASCII 8-bit

Microsoft Windows Code Page 1254 8-bit Turkish

ASCII 7-bit American

Unicode 3.0 UTF-8 Universal character set, CESU-

8 compliant

Microsoft Windows Code Page 1258 8-bit Vietnamese

Western European 8-bit ISO 8859 Part 1

ISO 8859-15 West European

ISO 8859-9 West European and Turkish

Microsoft Windows Code Page 1252 8-bit West

European

GBK 16-bit Simplified Chinese

Microsoft Windows Code Page 950 with Hong Kong

Supplementary Character Set HKSCS-2001.

Character set conversion is based on Unicode 3.0.

Microsoft Windows Code Page 950 Traditional

Chinese

EUC 32-bit Traditional Chinese

API Version 2014-10-31

359

Amazon Relational Database Service User Guide

Appendix: Oracle Database Engine Release Notes

Appendix: Oracle Database Engine Release

Notes

This section provides information about what's new and what patch sets are included in each Amazon

RDS release for the Oracle DB engine.

Amazon RDS incorporates Oracle Database bug fixes from Oracle via their quarterly Patch Set Updates

(PSU). We do not support applying one-off patches to individual DB instances; you can be confident that your DB instance is running a stable, common version of the database software that has been regression tested by both Oracle and Amazon.

Topics

Database Engine Version: 11.2.0.2.v3 (p. 361)

Database Engine Version: 11.2.0.2.v4 or 11.2.0.2.v5 (p. 362)

Database Engine Version: 11.2.0.2.v6 (p. 362)

Database Engine Version: 11.2.0.2.v7 (p. 363)

Database Engine Version: 11.2.0.3.v1 (p. 365)

Database Engine Version: 11.2.0.3.v2 (p. 366)

Database Engine Version: 11.2.0.3.v3 (p. 367)

Database Engine Version: 11.2.0.3.v4 (p. 369)

Database Engine Version: 11.2.0.4.v1 (p. 370)

Database Engine Version: 11.2.0.4.v2 (Deprecated) (p. 370)

Database Engine Version: 11.2.0.4.v3 (p. 371)

Database Engine Version: 11.2.0.4.v4 (p. 372)

Database Engine Version: 11.2.0.4.v5 (p. 373)

Database Engine Version: 11.2.0.4.v6 (p. 374)

Database Engine Version: 11.2.0.4.v7 (p. 374)

Database Engine Version: 12.1.0.1.v1 (p. 376)

Database Engine Version: 12.1.0.1.v2 (p. 377)

Database Engine Version: 12.1.0.1.v3 (p. 378)

Database Engine Version: 12.1.0.1.v4 (p. 379)

Database Engine Version: 12.1.0.2.v1 (p. 380)

Database Engine Version: 12.1.0.2.v2 (p. 381)

Database Engine Version: 12.1.0.2.v3 (p. 381)

The following table shows what Oracle PSUs are applied to the Oracle versions in Amazon RDS:

PSU Version

11.2.0.2

11.2.0.2.v3

PSU July 2011

PSU July 2012 11.2.0.2.v4

and

11.2.0.2.v5

PSU October 2012 11.2.0.2.v6

PSU April 2013 11.2.0.2.v7

Version

11.2.0.3

Version

11.2.0.4

Version

12.1.0.1

Version

12.1.0.2

API Version 2014-10-31

360

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.2.v3

PSU

PSU July 2013

PSU January 2014

PSU July 2014

Version

11.2.0.2

PSU October 2014

PSU January 2015

PSU April 2015

PSU July 2015

PSU October 2015

PSU January 2016

Version

11.2.0.3

11.2.0.3.v1

Version

11.2.0.4

11.2.0.3.v2

11.2.0.3.v3

11.2.0.3.v4

Version

12.1.0.1

11.2.0.4.v1

11.2.0.4.v2

(Deprecated)

11.2.0.4.v3

11.2.0.4.v4

12.1.0.1.v1

12.1.0.1.v2

11.2.0.4.v5

11.2.0.4.v7

12.1.0.1.v3

12.1.0.1.v4

Version

12.1.0.2

12.1.0.2.v1

12.1.0.2.v2

12.1.0.2.v3

Oracle has determined that patching for the following versions will end (support Doc 742060.1):

• Oracle version 11.2.0.2 – Patching ended October 2013

• Oracle version 11.2.0.3 – Patching ended on July 2015 Version 11.2.0.3.v4 is the final release of

11.2.0.3.

• Oracle version 12.1.0.1 – Patching is set to end on August 2016, but patching will continue for 12.1.0.1

for six months after Standard Edition 2 is released for 12.1.0.2.

Database Engine Version: 11.2.0.2.v3

What's New in Version 11.2.0.2.v3

This version includes Oracle PSU 11.2.0.2.3.

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.2.3

Bugs fixed: 10151017, 10158965, 11724916, 10190642, 12586486, 12586487, 10129643, 12586488,

12586489, 10018789, 9744252, 10248523, 9956713, 10356513, 9715581, 9770451, 10378005, 10170431,

10425676, 10222719, 10126094, 9591812, 10127360, 10132870, 10094201, 9443361, 10193846,

11664046, 11069199, 10324294, 10245086, 12586490, 10205230, 12586491, 10052141, 12586492,

12586493, 12586494, 10142788, 11818335, 11830776, 12586495, 9905049, 11830777, 12586496,

11830778, 6892311, 10040921, 10077191, 10358019, 12431716, 10219576, 10258337, 11707699,

10264680, 10209232, 11651810, 10102506, 11067567, 9881076, 10278372, 10040531, 10621169,

10155605, 10082277, 10356782, 10218814, 9078442, 9788588, 10157249, 9735237, 10317487,

12326246, 11707302, 10310299, 10636231, 10230571, 11065646, 12419321, 10368698, 10079168,

10013431, 10228151, 10233732, 10324526, 8223165, 10238786, 10217802, 10061015, 9953542,

9572787, 10052956, 10080579, 11699057, 12620422, 10332111, 10227288, 10329146, 10332589,

10110863, 10073683, 9869401, 10019218, 10229719, 11664719, 9539440, 10373381, 9735282, 9748749,

11724984, 10022980, 10411618, 11800854, 12419331, 11674485, 10187168, 6523037, 10648873,

9724970, 10053725, 10084145, 10367188, 11800170, 11695285, 10157402, 9651350, 10299224

API Version 2014-10-31

361

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.2.v4 or 11.2.0.2.v5

Database Engine Version: 11.2.0.2.v4 or 11.2.0.2.v5

What's New in Version 11.2.0.2.v4 or 11.2.0.2.v5

This version includes Oracle PSU 11.2.0.2.7 and adds support for importing data using Oracle Data

Pump.

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.2.7

Bugs fixed: 10249791, 11877623, 12569737, 14038791, 10026601, 12378147, 10115630, 11814891,

14127510, 10412247, 13923804, 12656535, 9709292, 10220033, 10092858, 12391602, 12323180,

10142857, 10620808, 12579349, 12337012, 12879027, 11811073, 11064851, 13001379, 9903826,

11738259, 14107384, 10207092, 14107385, 11882425, 9858539, 14107386, 14107387, 10633840,

14107388, 10419629, 14107389, 11708510, 10131867, 14040433, 11063191, 13916709, 12880299,

11872103, 12595730, 11056082, 12596444, 13099577, 13632725, 10031806, 13769501, 13769502,

13769503, 13769504, 9744252, 13769505, 9956713, 13769506, 13769507, 9972680, 13769508,

13769509, 11853815, 10635701, 9591812, 10127360, 11723722, 9443361, 12846268, 12846269,

9707965, 10245086, 9401552, 10039731, 11689702, 13769510, 12366627, 10077191, 9829397,

11785938, 10258337, 10264680, 10094823, 10209232, 10284570, 8672862, 9672816, 12830339,

9881076, 10621169, 10048701, 12569482, 9078442, 11057263, 10322959, 12780098, 12976376,

12340939, 11788856, 8223165, 10264696, 10142909, 11800959, 13476583, 10052956, 10285022,

10329146, 10332589, 9895207, 9869401, 12828071, 9285259, 10229719, 11724984, 10411618,

11670161, 9724970, 10113990, 10312847, 11893621, 10200390, 10084145, 10367188, 10285394,

10190642, 12586486, 12586487, 10129643, 12586488, 12917230, 12586489, 11866952, 10232083,

9715581, 10302581, 11690639, 12423475, 11889177, 10126094, 10396041, 10269503, 9970255,

9436324, 12400751, 12589039, 11785390, 12586490, 12586491, 12586492, 9795214, 12586493,

10142788, 12586494, 12586495, 9905049, 12586496, 11674898, 10419984, 6892311, 11815753,

10358019, 12431716, 9906422, 10422126, 13343244, 11937253, 9965655, 11890804, 11651810,

9382956, 11067567, 11716621, 10126822, 9869287, 9375300, 10155605, 10356782, 10326338,

10165083, 10051315, 13696224, 10218814, 13554409, 11076894, 10278773, 11707302, 10230571,

12419321, 9966609, 12633340, 12546006, 10137324, 11894889, 10061015, 9572787, 10284838,

10073683, 12639234, 9578670, 9748749, 10022980, 10237773, 10089333, 12419331, 11674485,

12685431, 10187168, 10648873, 10158965, 11061775, 12635537, 9746210, 10204358, 10356513,

10378005, 10170431, 12639177, 10222719, 10384285, 10035737, 12345717, 9873405, 11069199,

12670165, 10159846, 13257247, 10205230, 10052141, 11818335, 12371955, 12655433, 10040921,

11827088, 10219576, 12408350, 13343424, 11707699, 12370722, 11695333, 11841309, 11924400,

12737666, 12797765, 10281887, 10278372, 10013177, 13503598, 12543639, 10157249, 12531263,

9735237, 10317487, 10219583, 9727147, 10310299, 10636231, 11065646, 10055063, 10368698,

10079168, 11695416, 10233732, 10314582, 9953542, 10080579, 11699057, 12620422, 10427260,

11666137, 10110863, 10363186, 10417716, 10019218, 10388660, 12748240, 9539440, 10373381,

10239480, 10158493, 11842991, 10399808, 10417216, 11695285, 11800170, 10157402, 9651350,

10299224, 10151017, 11724916, 9564886, 9847634, 10018789, 10248523, 11694127, 10630870,

9770451, 10425676, 9683047, 10180307, 9835264, 10132870, 10094201, 10193846, 11664046,

10324294, 9414040, 9819805, 11830776, 11830777, 11830778, 11683713, 10200404, 10102506,

12827726, 11733179, 10229886, 10040531, 10082277, 9788588, 12326246, 12397410, 10622001,

13468884, 13386082, 10040035, 12539000, 11867127, 9842573, 9771278, 10013431, 10228151,

10324526, 12417369, 10238786, 10217802, 10332111, 10227288, 10623249, 9943960, 10021022,

9824435, 11664719, 12950644, 9735282, 11800854, 10097711, 11858315, 6523037, 10053725, 8685446

Database Engine Version: 11.2.0.2.v6

What's New in Version 11.2.0.2.v6

This version includes Oracle PSU 11.2.0.2.8.

API Version 2014-10-31

362

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.2.v7

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.2.8

Bugs fixed: 13250244, 13737746, 11063821, 12409916, 14461356, 14461357, 11878443, 14461358,

14683459, 14275621, 14467061, 10114837, 12649442, 10207551, 12794305, 14473913, 10171273,

10373013, 10210507, 11883472, 13080778, 10172453, 14624146, 14613900, 10213073, 9373370,

9478199, 9877980, 10021111, 10228393, 12899768, 12713993, 9470768, 14390377, 10140809,

12894807, 11686968, 12374212, 12764337, 12326708, 9956835, 11734067, 7312717, 11775474,

12834027, 13326736, 9952554, 10249791, 11877623, 12569737, 14038791, 10026601, 12378147,

10115630, 11814891, 14127510, 10412247, 13923804, 12656535, 9709292, 10220033, 10092858,

12391602, 12323180, 10142857, 10620808, 12579349, 12337012, 12879027, 11811073, 11064851,

13001379, 9903826, 11738259, 14107384, 10207092, 14107385, 11882425, 9858539, 14107386,

14107387, 10633840, 14107388, 10419629, 14107389, 11708510, 10131867, 14040433, 11063191,

13916709, 12880299, 11872103, 12595730, 11056082, 12596444, 13099577, 13632725, 10031806,

13769501, 13769502, 13769503, 13769504, 9744252, 13769505, 9956713, 13769506, 13769507,

9972680, 13769508, 13769509, 11853815, 10635701, 9591812, 10127360, 11723722, 9443361,

12846268, 12846269, 9707965, 10245086, 9401552, 10039731, 11689702, 13769510, 12366627,

10077191, 9829397, 11785938, 10258337, 10264680, 10094823, 10209232, 10284570, 8672862,

9672816, 12830339, 9881076, 10621169, 10048701, 12569482, 9078442, 11057263, 10322959,

12780098, 12976376, 12340939, 11788856, 8223165, 10264696, 10142909, 11800959, 13476583,

10052956, 10285022, 10329146, 10332589, 9895207, 9869401, 12828071, 9285259, 10229719,

11724984, 10411618, 11670161, 9724970, 10113990, 10312847, 11893621, 10200390, 10084145,

10367188, 10285394, 10190642, 12586486, 12586487, 10129643, 12586488, 12917230, 12586489,

11866952, 10232083, 9715581, 10302581, 11690639, 12423475, 11889177, 10126094, 10396041,

10269503, 9970255, 9436324, 12400751, 12589039, 11785390, 12586490, 12586491, 12586492,

9795214, 12586493, 10142788, 12586494, 12586495, 9905049, 12586496, 11674898, 10419984,

6892311, 11815753, 10358019, 12431716, 9906422, 10422126, 13343244, 11937253, 9965655,

11890804, 11651810, 9382956, 11067567, 11716621, 10126822, 9869287, 9375300, 10155605,

10356782, 10326338, 10165083, 10051315, 13696224, 10218814, 13554409, 11076894, 10278773,

11707302, 10230571, 12419321, 9966609, 12633340, 12546006, 10137324, 11894889, 10061015,

9572787, 10284838, 10073683, 12639234, 9578670, 9748749, 10022980, 10237773, 10089333,

12419331, 11674485, 12685431, 10187168, 10648873, 10158965, 11061775, 12635537, 9746210,

10204358, 10356513, 10378005, 10170431, 12639177, 10222719, 10384285, 10035737, 12345717,

9873405, 11069199, 12670165, 10159846, 13257247, 10205230, 10052141, 11818335, 12371955,

12655433, 10040921, 11827088, 10219576, 12408350, 13343424, 11707699, 12370722, 11695333,

11841309, 11924400, 12737666, 12797765, 10281887, 10278372, 10013177, 13503598, 12543639,

10157249, 12531263, 9735237, 10317487, 10219583, 9727147, 10310299, 10636231, 11065646,

10055063, 10368698, 10079168, 11695416, 10233732, 10314582, 9953542, 10080579, 11699057,

12620422, 10427260, 11666137, 10110863, 10363186, 10417716, 10019218, 10388660, 12748240,

9539440, 10373381, 10239480, 10158493, 11842991, 10399808, 10417216, 11695285, 11800170,

10157402, 9651350, 10299224, 10151017, 11724916, 9564886, 9847634, 10018789, 10248523,

11694127, 10630870, 9770451, 10425676, 9683047, 10180307, 9835264, 10132870, 10094201,

10193846, 11664046, 10324294, 9414040, 9819805, 11830776, 11830777, 11830778, 11683713,

10200404, 10102506, 12827726, 11733179, 10229886, 10040531, 10082277, 9788588, 12326246,

12397410, 10622001, 13468884, 13386082, 10040035, 12539000, 11867127, 9842573, 9771278,

10013431, 10228151, 10324526, 12417369, 10238786, 10217802, 10332111, 10227288, 10623249,

9943960, 10021022, 9824435, 11664719, 12950644, 9735282, 11800854, 10097711, 11858315, 6523037,

10053725, 8685446

Database Engine Version: 11.2.0.2.v7

What's New in Version 11.2.0.2.v7

This version adds support for the following:

Retaining Archived Redo Logs (for version 11.2.0.2.v7 and later) (p. 321)

• Oracle PSU 11.20.2.10

API Version 2014-10-31

363

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.2.v7

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.2.10

(April 2013)

Bugs fixed: 16344871, 9671271, 16294412, 14841558, 12579446, 16056267, 10435074, 14273397,

12428791, 12314102, 10138589, 14841812, 12842402, 16303117, 10372924, 12539487, 12594032,

13377816, 16303116, 16175381, 14220725, 13561951, 9868876, 9913542, 16303114, 10362871,

9801919, 12755116, 13524899, 16303115, 10350832, 16303118, 12582664, 13596521, 14459552,

13810393, 13147164, 15896431, 10247152, 14076523, 10395345, 14023636, 13467683, 11706168,

15896427, 14263073, 9926929, 10190172, 11715084, 15896432, 9896536, 15896428, 15896429,

14841437, 12420002, 14262913, 13399435, 10396874, 8547978, 14727315, 15896434, 14546575,

9860769, 14258925, 15896433, 14546638, 11834448, 14741727, 14546673, 12845115, 15896430,

12595561, 13550185, 14263036, 9912965, 14205448, 15896435, 14035825, 12848798, 11856395,

10175192, 14469008, 12313857, 9233544, 9681133, 13250244, 13737746, 11063821, 12409916,

14461356, 14461357, 11878443, 14461358, 14683459, 14275621, 14467061, 10114837, 12649442,

10207551, 12794305, 14473913, 10171273, 10373013, 10210507, 11883472, 13080778, 10172453,

14624146, 14613900, 10213073, 9373370, 9478199, 9877980, 10021111, 10228393, 12899768,

12713993, 9470768, 14390377, 10140809, 12894807, 11686968, 12374212, 12764337, 12326708,

9956835, 11734067, 7312717, 11775474, 12834027, 13326736, 9952554, 10249791, 11877623,

12569737, 14038791, 10026601, 12378147, 10115630, 11814891, 14127510, 10412247, 13923804,

12656535, 9709292, 10220033, 10092858, 12391602, 12323180, 10142857, 10620808, 12579349,

12337012, 12879027, 11811073, 11064851, 13001379, 9903826, 11738259, 14107384, 10207092,

14107385, 11882425, 9858539, 14107386, 14107387, 10633840, 14107388, 10419629, 14107389,

11708510, 10131867, 14040433, 11063191, 13916709, 12880299, 11872103, 12595730, 11056082,

12596444, 13099577, 13632725, 10031806, 13769501, 13769502, 13769503, 13769504, 9744252,

13769505, 9956713, 13769506, 13769507, 9972680, 13769508, 13769509, 11853815, 10635701,

9591812, 10127360, 11723722, 9443361, 12846268, 12846269, 9707965, 10245086, 9401552, 10039731,

11689702, 13769510, 12366627, 10077191, 9829397, 11785938, 10258337, 10264680, 10094823,

10209232, 10284570, 8672862, 9672816, 12830339, 9881076, 10621169, 10048701, 12569482, 9078442,

11057263, 10322959, 12780098, 12976376, 12340939, 11788856, 8223165, 10264696, 10142909,

11800959, 13476583, 10052956, 10285022, 10329146, 10332589, 9895207, 9869401, 12828071,

9285259, 10229719, 11724984, 10411618, 11670161, 9724970, 10113990, 10312847, 11893621,

10200390, 10084145, 10367188, 10285394, 10190642, 12586486, 12586487, 10129643, 12586488,

12917230, 12586489, 11866952, 10232083, 9715581, 10302581, 11690639, 12423475, 11889177,

10126094, 10396041, 10269503, 9970255, 9436324, 12400751, 12589039, 11785390, 12586490,

12586491, 12586492, 9795214, 12586493, 10142788, 12586494, 12586495, 9905049, 12586496,

11674898, 10419984, 6892311, 11815753, 10358019, 12431716, 9906422, 10422126, 13343244,

11937253, 9965655, 11890804, 11651810, 9382956, 11067567, 11716621, 10126822, 9869287, 9375300,

10155605, 10356782, 10326338, 10165083, 10051315, 13696224, 10218814, 13554409, 11076894,

10278773, 11707302, 10230571, 12419321, 9966609, 12633340, 12546006, 10137324, 11894889,

10061015, 9572787, 10284838, 10073683, 12639234, 9578670, 9748749, 10022980, 10237773,

10089333, 12419331, 11674485, 12685431, 10187168, 10648873, 10158965, 11061775, 12635537,

9746210, 10204358, 10356513, 10378005, 10170431, 12639177, 10222719, 10384285, 10035737,

12345717, 9873405, 11069199, 12670165, 10159846, 13257247, 10205230, 10052141, 11818335,

12371955, 12655433, 10040921, 11827088, 10219576, 12408350, 13343424, 11707699, 12370722,

11695333, 11841309, 11924400, 12737666, 12797765, 10281887, 10278372, 10013177, 13503598,

12543639, 10157249, 12531263, 9735237, 10317487, 10219583, 9727147, 10310299, 10636231,

11065646, 10055063, 10368698, 10079168, 11695416, 10233732, 10314582, 9953542, 10080579,

11699057, 12620422, 10427260, 11666137, 10110863, 10363186, 10417716, 10019218, 10388660,

12748240, 9539440, 10373381, 10239480, 10158493, 11842991, 10399808, 10417216, 11695285,

11800170, 10157402, 9651350, 10299224, 10151017, 11724916, 9564886, 9847634, 10018789,

10248523, 11694127, 10630870, 9770451, 10425676, 9683047, 10180307, 9835264, 10132870,

10094201, 10193846, 11664046, 10324294, 9414040, 9819805, 11830776, 11830777, 11830778,

11683713, 10200404, 10102506, 12827726, 11733179, 10229886, 10040531, 10082277, 9788588,

12326246, 12397410, 10622001, 13468884, 13386082, 10040035, 12539000, 11867127, 9842573,

9771278, 10013431, 10228151, 10324526, 12417369, 10238786, 10217802, 10332111, 10227288,

API Version 2014-10-31

364

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.3.v1

10623249, 9943960, 10021022, 9824435, 11664719, 12950644, 9735282, 11800854, 10097711,

11858315, 6523037, 10053725, 8685446

Database Engine Version: 11.2.0.3.v1

What's New in Version 11.2.0.3.v1

This version adds support for the following:

Disconnecting a Session (for version 11.2.0.3.v1 and later) (p. 316)

Renaming the Global Name (for version 11.2.0.3.v1 and later) (p. 316)

Setting Force Logging (for version 11.2.0.3.v1 and later) (p. 320)

Setting Supplemental Logging (for version 11.2.0.3.v1 and later) (p. 321)

Setting Distributed Recovery (for version 11.2.0.3.v1 and later) (p. 322)

Listing and Reading Files in a DB Instance Directory (for version 11.2.0.3.v1 and later) (p. 325)

• Oracle PSU 11.2.0.3.7

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.3.7

(July2013)

Bugs fixed: 13593999, 13566938, 10350832, 14138130, 12919564, 13561951, 13624984, 13588248,

13080778, 13914613, 13804294, 14258925, 12873183, 13645875, 14472647, 12880299, 14664355,

12998795, 14409183, 13719081, 14469008, 13492735, 14263036, 12857027, 13496884, 13015379,

14263073, 13742433, 13732226, 16314469, 16368108, 12905058, 6690853, 13742434, 12849688,

12950644, 13742435, 13464002, 13063120, 13534412, 12879027, 13958038, 14613900, 12585543,

13790109, 12535346, 16382448, 12588744, 11877623, 12395918, 13814739, 13786142, 12847466,

13649031, 13855490, 13981051, 12582664, 12797765, 14262913, 12923168, 16279401, 12912137,

13612575, 13384182, 13466801, 13484963, 14207163, 13724193, 13772618, 11063191, 16694777,

13070939, 12797420, 15869211, 13041324, 16279211, 16314467, 16314468, 12976376, 11708510,

13680405, 13742437, 13026410, 14589750, 13737746, 13742438, 14644185, 15841373, 13326736,

13596521, 14398795, 13579992, 13001379, 16344871, 13099577, 9873405, 13742436, 14275605,

9858539, 14841812, 11715084, 16231699, 14040433, 9703627, 12662040, 12617123, 16530565,

14207317, 12845115, 12764337, 13354082, 14459552, 13397104, 13913630, 12964067, 12983611,

13550185, 12780983, 13810393, 12583611, 14546575, 15862016, 13476583, 13489024, 11840910,

13903046, 15862017, 13572659, 16294378, 13718279, 14088346, 13657605, 13448206, 16314466,

14480676, 13419660, 13632717, 14668670, 14063281, 14110275, 13430938, 13467683, 13420224,

13812031, 14548763, 16299830, 12646784, 14512189, 12755116, 14035825, 13616375, 13427062,

12861463, 12834027, 15862021, 13632809, 13377816, 13036331, 14727310, 16619892, 13685544,

13499128, 15862018, 13584130, 16175381, 12829021, 15862019, 12794305, 14546673, 12791981,

13561750, 13503598, 13787482, 10133521, 12718090, 13848402, 13399435, 14023636, 9095696,

13860201, 12401111, 13257247, 13362079, 14176879, 12917230, 16014985, 13923374, 14220725,

13524899, 14480675, 16306019, 13559697, 12974860, 9706792, 12940620, 14480674, 13916709,

13098318, 14076523, 13773133, 15905421, 16794244, 13340388, 12731940, 13528551, 13366202,

12894807, 13343438, 13454210, 12748240, 14205448, 13385346, 14127231, 15853081, 14273397,

14467061, 12971775, 13923995, 14571027, 13582702, 13907462, 10242202, 13493847, 13857111,

13035804, 13544396, 16382353, 8547978, 14226599, 16794241, 14062795, 13035360, 12925089,

12693626, 13332439, 14038787, 11071989, 14062796, 16794243, 12913474, 14841409, 14390252,

16314470, 13370330, 13059165, 14062797, 14062794, 12959852, 12345082, 13358781, 12960925,

16703112, 9659614, 14546638, 13699124, 13936424, 14301592, 16794240, 13338048, 12938841,

12658411, 12620823, 12656535, 14062793, 12678920, 13038684, 14062792, 13807411, 16742095,

16794238, 15862022, 12594032, 13250244, 12612118, 9761357, 14053457, 13742464, 14052474,

13911821, 13457582, 7509451, 13527323, 13791364, 15862020, 13910420, 12780098, 13502183,

API Version 2014-10-31

365

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.3.v2

13696216, 13705338, 10263668, 14841558, 16794242, 15862023, 16056266, 16794239, 15862024,

13554409, 13645917, 13103913, 12772404, 13011409, 14063280, 13328193, 16799735

Database Engine Version: 11.2.0.3.v2

What's New in Version 11.2.0.3.v2

This version adds support for the following:

• Oracle Database Patch Set Update (PSU) 11.2.0.3.12 (patch 19121548, released in October 2014).

• Latest DST file (DSTv23 – patch 19396455, released in October 2014). This patch is incorporated by default in new instances only.

• Added Database Patch 19695885 – Oracle GoldenGate Integrated Extract for 11.2.0.3.12.

• Upgrade paths available:You can upgrade from 11.2.0.3.v2 to later versions of 11.2.0.3 as they become available. You can also upgrade from 11.2.0.3.v2 to 11.2.0.4.v3 or later versions of 11.2.0.4 as they become available.

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.3.12

(October2014)

Bugs fixed: 19396455, 18759211, 17432124, 16799735, 14744263, 14175146, 13652437, 16238044,

13516727, 13328193, 14050233, 13593999, 10350832, 19433746, 14138130, 12919564, 14198511,

13561951 13588248, 13080778, 13804294, 16710324, 18031683, 12873183, 16992075 14193240,

14472647, 12880299, 14799269, 13369579, 13840704, 14409183 13492735, 13496884, 12857027,

14263036, 13834436, 16038929, 13015379 14263073, 17748833, 16563678, 13732226, 13866822,

13742434, 13944971 12950644, 12899768, 17748831, 16929165, 16272008, 13063120, 13958038

14613900, 13503204, 13972394, 11877623, 13072654, 17088068, 12395918 16710753, 13429702,

13814739, 17343514, 13649031, 10256843, 13981051 15981698, 13901201, 12797765, 17333200,

19211724, 12923168, 16761566 13384182, 16279401, 13466801, 15996344, 14207163, 18673304,

13596581 13724193, 11063191, 13642044, 12940637, 18641419, 12595606, 9163477 15931756,

14052871, 18262334, 13945708, 12797420, 14123213, 13041324 12865902, 15869211, 14003090,

16314468, 16019955, 11708510, 17865671 14637368, 13026410, 13737746, 13742438, 15841373,

16347904, 15910002 16088176, 19517437, 16362358, 16505333, 14398795, 14182835, 13579992

16344871, 10182005, 10400244, 13742436, 14275605, 9858539, 14841812 16338983, 9703627,

13483354, 14393728, 14207317, 17165204, 12764337 16902043, 14459552, 14191508, 14588746,

12964067, 12780983, 12583611 14383007, 14546575, 13476583, 15862016, 13489024, 12985237,

17748830 19554106, 14088346, 13448206, 19458377, 16314466, 13419660, 18139695 12591399,

14110275, 13430938, 13467683, 17767676, 14548763, 19638161 13424216, 12834027, 13632809,

13853126, 13377816, 13036331, 14727310 9812682, 12320556, 16747736, 13584130, 16175381,

17468141, 12829021 14138823, 15862019, 12794305, 14546673, 12791981, 13503598, 13787482

10133521, 12744759, 13399435, 19433747, 14762511, 13553883, 14023636 9095696, 12977562,

14343501, 13860201, 13257247, 14176879, 13783957 16014985, 12312133, 14480675, 13146182,

16306019, 13559697, 12974860 9706792, 12940620, 13098318, 15883525, 13773133, 16794244,

13340388 13528551, 13366202, 12894807, 13259364, 12747437, 13454210, 12748240 13385346,

15987992, 13923995, 16101465, 14571027, 13582702, 12784406 13907462, 13493847, 13035804,

13857111, 16710363, 13544396, 10110625 14128555, 12813641, 8547978, 14226599, 17478415,

17050888, 17333197 9397635, 14007968, 13912931, 12693626, 12925089, 14189694, 17761775

12815057, 16721594, 13332439, 14038787, 11071989, 12596444, 14207902 14062796, 12913474,

14390252, 13370330, 16314470, 14062794, 13358781 12960925, 17333202, 9659614, 14546638,

13699124, 13936424, 19433745 9797851, 16794240, 14301592, 13338048, 12938841, 12620823,

12656535 12678920, 13719292, 14488943, 14062792, 16850197, 14791477, 13807411 16794238,

13250244, 12594032, 15862022, 15826962, 14098509, 12612118 9761357, 18096714, 14053457,

13918644, 13527323, 10625145, 12797620 18173595, 19289642, 15862020, 13910420, 12780098,

13696216, 14774091 14841558, 10263668, 13849733, 16794242, 16944698, 15862023, 16056266

API Version 2014-10-31

366

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.3.v3

13834065, 13853654, 14351566, 13723052, 18173593, 14063280, 13011409 13566938, 13737888,

13624984, 16024441, 17333199, 13914613, 17540582 14258925, 14222403, 14755945, 13645875,

12571991, 13839641, 14664355 12998795, 13719081, 14469008, 13361350, 14188650, 17019974,

13742433 14508968, 16314469, 16368108, 12905058, 6690853, 13647945, 16212405 12849688,

13742435, 13464002, 18681866, 12879027, 13534412, 18522512 12585543, 12747740, 12535346,

13878246, 13790109, 16382448, 12588744 13916549, 13786142, 12847466, 13855490, 13551402,

12582664, 13871316 14657740, 14262913, 17332800, 14558880, 14695377, 12912137, 13612575

12387467, 13484963, 14163397, 17437634, 13772618, 16694777, 13070939 15994107, 13605839,

14369664, 12391034, 12588237, 16279211, 16314467 12945879, 15901852, 12976376, 7276499,

12755231, 13680405, 13742437 14589750, 14318397, 11868640, 14644185, 13326736, 13596521,

13001379 12898558, 17752121, 13099577, 13911711, 9873405, 18673325, 16372203 16344758,

11715084, 9547706, 16231699, 14040433, 12662040, 12617123 14406648, 17748832, 16530565,

12845115, 16844086, 13354082, 17748834 13794550, 13397104, 19537916, 13913630, 16524926,

16462834, 12983611 13550185, 13810393, 14121009, 13065099, 11840910, 13903046, 15862017

13572659, 16294378, 13718279, 13657605, 17716305, 14480676, 13632717 14668670, 14063281,

14158012, 13736413, 13420224, 13812031, 12646784 16299830, 14512189, 10359307, 12755116,

17230530, 13616375, 14035825 13366199, 13427062, 18673342, 12861463, 13092220, 15862021,

17721717 13043012, 16619892, 13685544, 18325460, 13499128, 15862018, 19727057 13839336,

13866372, 13561750, 12718090, 13848402, 13725395, 5144934 12401111, 12796518, 13362079,

12917230, 12614359, 13042639, 14408859 13923374, 11732473, 14220725, 12621588, 13524899,

14480674, 14751895 13916709, 14781609, 14076523, 15905421, 12731940, 13343438, 17748835

14205448, 17082364, 14127231, 15853081, 14273397, 16844448, 14467061 12971775, 16864562,

14489591, 14497307, 12748538, 13872868, 10242202 14230270, 13931044, 13686047, 16382353,

14095982, 17333203, 19121548 13591624, 14523004, 13440516, 16794241, 13499412, 13035360,

14062795 12411746, 13040943, 13843646, 12905053, 18173592, 16794243, 13477790 14841409,

14609690, 14062797, 13059165, 12959852, 12345082, 16703112 13890080, 17333198, 16048375,

16450169, 12658411, 13780035, 14062793 19271438, 19259446, 13038684, 18740215, 16742095,

13742464, 13066936 14052474, 13060271, 13911821, 13457582, 7509451, 19710542, 13791364

12821418, 13502183, 13705338, 14237793, 16794239, 13554409, 15862024 13103913, 13645917,

12772404

Database Engine Version: 11.2.0.3.v3

What's New in Version 11.2.0.3.v3

This version adds support for the following:

• Oracle Database Patch Set Update (PSU) 11.2.0.3.14 (patch 20299017, released in April 2015)

• Installs additional Oracle Text knowledge bases from Oracle Database. Examples media (English and

French)

• Provides access to DBMS_REPAIR through RDSADMIN.RDSADMIN_DBMS_REPAIR

• Grants ALTER DATABASE LINK, ALTER PUBLIC DATABASE LINK, EXEMPT ACCESS POLICY,

EXEMPT IDENTITY POLICY, and EXEMPT REDACTION POLICY to master user

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.3.14 (April2015)

Bugs fixed: 13593999, 10350832, 19433746, 14138130, 12919564, 14198511, 13561951 13588248,

13080778, 20134036, 13804294, 16710324, 18031683, 12873183 16992075, 14193240, 14472647,

12880299, 13369579, 14799269, 13840704 14409183, 13492735, 14263036, 12857027, 13496884,

14263073, 16038929 13834436, 13015379, 17748833, 13732226, 16563678, 13866822, 20134034

13742434, 13944971, 12950644, 17748831, 12899768, 16929165, 16272008 13063120, 14613900,

13958038, 13503204, 13972394, 11877623, 17088068 13072654, 12395918, 16710753, 13429702,

13814739, 17343514, 13649031 13981051, 10256843, 15981698, 13901201, 12797765, 17333200,

19211724 12923168, 16761566, 13384182, 16279401, 13466801, 15996344, 14207163 13596581,

18673304, 13724193, 11063191, 13642044, 12940637, 19915271 12595606, 18641419, 14052871,

API Version 2014-10-31

367

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.3.v3

9163477, 15931756, 18262334, 13945708 12797420, 14123213, 13041324, 12865902, 15869211,

14003090, 16314468 16019955, 11708510, 17865671, 13026410, 14637368, 13737746, 13742438

15841373, 16347904, 16088176, 15910002, 19517437, 19827973, 16362358 16505333, 14398795,

14182835, 13579992, 11883252, 16344871, 10182005 10400244, 13742436, 14275605, 19197175,

9858539, 20477071, 14841812 16338983, 9703627, 13483354, 14393728, 14207317, 17165204,

20477069 12764337, 16902043, 14459552, 14191508, 14588746, 12964067, 19358317 20477440,

12780983, 12583611, 14383007, 14546575, 13476583, 15862016 13489024, 12985237, 17748830,

19554106, 14088346, 13448206, 19458377 16314466, 13419660, 18139695, 12591399, 14110275,

13430938, 13467683 17767676, 14548763, 19638161, 13424216, 12834027, 13632809, 13853126

13377816, 13036331, 14727310, 9812682, 12320556, 16747736, 13584130 16175381, 17468141,

12829021, 14138823, 15862019, 12794305, 14546673 12791981, 13503598, 13787482, 10133521,

12744759, 13399435, 18641461 19433747, 14023636, 13553883, 14762511, 9095696, 14343501,

12977562 13860201, 13257247, 14176879, 13783957, 16014985, 14480675, 12312133 13559697,

13146182, 16306019, 12974860, 9706792, 12940620, 13098318 13773133, 15883525, 16794244,

13340388, 13528551, 13366202, 12894807 13259364, 12747437, 13454210, 12748240, 13385346,

15987992, 13923995 16101465, 14571027, 13582702, 12784406, 13907462, 19769496, 13493847

13035804, 13857111, 13544396, 16710363, 10110625, 20134033, 14128555 12813641, 8547978,

14226599, 17478415, 17050888, 16923127, 17333197 9397635, 14007968, 13912931, 12693626,

12925089, 14189694, 17761775 12815057, 16721594, 13332439, 20477068, 19972198, 14038787,

11071989 14207902, 12596444, 14062796, 12913474, 20299010, 14390252, 13840711 13370330,

16314470, 14062794, 13358781, 12960925, 17333202, 9659614 13699124, 14546638, 13936424,

9797851, 19433745, 16794240, 14301592 13338048, 12938841, 12620823, 12656535, 12678920,

13719292, 14488943 14062792, 16850197, 14791477, 13807411, 16794238, 13250244, 12594032

15862022, 14098509, 15826962, 12612118, 9761357, 18096714, 19854461 14053457, 18436647,

13918644, 13527323, 10625145, 18173595, 12797620 19289642, 15862020, 13910420, 12780098,

13696216, 14774091, 14841558 10263668, 13849733, 16794242, 16944698, 15862023, 16056266,

13834065 20134035, 13853654, 14351566, 13723052, 18173593, 14063280, 13011409 13566938,

13737888, 13624984, 16024441, 17333199, 13914613, 17540582 14258925, 14222403, 14755945,

13645875, 12571991, 13839641, 14664355 12998795, 14469008, 13719081, 13361350, 14188650,

17019974, 13742433 14508968, 16314469, 16368108, 12905058, 6690853, 13647945, 16212405

12849688, 18641451, 13742435, 13464002, 18681866, 12879027, 13534412 18522512, 12585543,

12747740, 12535346, 13878246, 13790109, 16382448 12588744, 13916549, 13786142, 12847466,

13855490, 13551402, 12582664 19972199, 13871316, 14262913, 14657740, 17332800, 14558880,

14695377 13612575, 12912137, 13484963, 12387467, 14163397, 17437634, 13772618 19006849,

16694777, 13070939, 15994107, 14369664, 12391034, 13605839 12588237, 16279211, 16314467,

12945879, 15901852, 17762296, 14692762 12976376, 7276499, 12755231, 13680405, 13742437,

14589750, 14318397 11868640, 14644185, 13326736, 19309466, 13596521, 13001379, 12898558

13099577, 17752121, 13911711, 9873405, 18673325, 16372203, 16344758 11715084, 9547706,

16231699, 14040433, 12662040, 12617123, 14406648 17748832, 16530565, 12845115, 16844086,

13354082, 17748834, 13794550 13397104, 19537916, 13913630, 16524926, 16462834, 12983611,

13550185 13810393, 14121009, 13065099, 11840910, 13903046, 15862017, 13572659 16294378,

13718279, 13657605, 17716305, 14480676, 13632717, 14668670 14063281, 14158012, 13736413,

13420224, 13812031, 12646784, 16299830 18440047, 14512189, 10359307, 12755116, 14035825,

17230530, 13616375 13366199, 13427062, 18673342, 12861463, 15862021, 13092220, 17721717

13043012, 16619892, 13685544, 18325460, 13499128, 15862018, 19727057 13839336, 13866372,

13561750, 12718090, 13848402, 13725395, 12401111 5144934, 12796518, 13362079, 12917230,

12614359, 13042639, 14408859 13923374, 11732473, 14220725, 12621588, 13524899, 14480674,

14751895 13916709, 14781609, 14076523, 15905421, 12731940, 13343438, 14205448 17748835,

15853081, 17082364, 14127231, 14273397, 16844448, 14467061 12971775, 16864562, 20074391,

14489591, 14497307, 13872868, 12748538 10242202, 14230270, 13931044, 13686047, 16382353,

14095982, 17333203 19121548, 13591624, 14523004, 13440516, 16794241, 13499412, 13035360

14062795, 12411746, 13040943, 12905053, 13843646, 20296213, 18173592 16794243, 13477790,

14841409, 14609690, 14062797, 13059165, 12959852 12345082, 16703112, 13890080, 17333198,

16048375, 16450169, 12658411 13780035, 14062793, 19271438, 19259446, 13038684, 18740215,

16742095 13742464, 14052474, 13066936, 13060271, 13911821, 13457582, 7509451 19710542,

13791364, 12821418, 13502183, 13705338, 15856660, 14237793 16794239, 13554409, 15862024,

13103913, 13645917, 12772404

API Version 2014-10-31

368

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.3.v4

Database Engine Version: 11.2.0.3.v4

What's New in Version 11.2.0.3.v4

This version adds support for the following:

• Oracle Database Patch Set Update (PSU) 11.2.0.3.15 (20760997)

• Includes the Daylight Saving Time Patch, patch 20875898: DST-24, that came out after the April 2015

PSU.

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.3.15 (July2015)

Bugs fixed: 13593999, 10350832, 19433746, 14138130, 12919564, 14198511, 13561951 13588248,

13080778, 20134036, 13804294, 16710324, 18031683, 12873183 21031410, 16992075, 14193240,

14472647, 12880299, 13369579, 14799269 13840704, 14409183, 13492735, 14263036, 12857027,

13496884, 14263073 16038929, 13834436, 13015379, 17748833, 13732226, 16563678, 13866822

20134034, 13742434, 13944971, 12950644, 17748831, 12899768, 16929165 16272008, 13063120,

14613900, 13958038, 21031412, 13503204, 20334344 13972394, 11877623, 17088068, 13072654,

12395918, 16710753, 13429702 13814739, 17343514, 13649031, 13981051, 10256843, 15981698,

13901201 12797765, 17333200, 19211724, 12923168, 16761566, 13384182, 16279401 13466801,

15996344, 14207163, 21146680, 13596581, 18673304, 13724193 11063191, 13642044, 12940637,

19915271, 12595606, 18641419, 14052871 15931756, 9163477, 18262334, 13945708, 16872333,

12797420, 14123213 13041324, 12865902, 15869211, 14003090, 16314468, 16019955, 11708510

17865671, 13026410, 14637368, 13737746, 13742438, 15841373, 16347904 16088176, 15910002,

19517437, 19827973, 16362358, 16505333, 14398795 14182835, 13579992, 11883252, 16344871,

10182005, 10400244, 13742436 14275605, 19197175, 9858539, 20477071, 14841812, 16338983,

9703627 20777150, 13483354, 14393728, 14207317, 17165204, 12764337, 20477069 16902043,

14459552, 14191508, 14588746, 12964067, 19358317, 20477440 12780983, 12583611, 14383007,

14546575, 13476583, 15862016, 13489024 12985237, 17748830, 19554106, 14088346, 13448206,

19458377, 16314466 13419660, 18139695, 12591399, 14110275, 13430938, 13467683, 17767676

14548763, 19638161, 13424216, 12834027, 13632809, 13853126, 13377816 13036331, 14727310,

9812682, 12320556, 16747736, 13584130, 16175381 17468141, 12829021, 14138823, 15862019,

12794305, 14546673, 12791981 13503598, 13787482, 10133521, 12744759, 13399435, 19433747,

18641461 14023636, 13553883, 14762511, 9095696, 14343501, 12977562, 13860201 13257247,

14176879, 13783957, 16014985, 14480675, 12312133, 13559697 13146182, 16306019, 12974860,

9706792, 12940620, 20004087, 13098318 13773133, 15883525, 16794244, 13340388, 13528551,

13366202, 12894807 20004021, 13259364, 12747437, 13454210, 12748240, 13385346, 15987992

13923995, 16101465, 14571027, 13582702, 12784406, 13907462, 19769496 13493847, 13035804,

13857111, 13544396, 16710363, 10110625, 20134033 14128555, 12813641, 8547978, 14226599,

17478415, 17050888, 16923127 17333197, 9397635, 14007968, 21031413, 13912931, 12693626,

12925089 14189694, 17761775, 12815057, 16721594, 13332439, 20477068, 19972198 14038787,

11071989, 14207902, 12596444, 14062796, 21151526, 12913474 20299010, 14390252, 13840711,

13370330, 16314470, 14062794, 13358781 12960925, 17333202, 9659614, 13699124, 14546638,

13936424, 9797851 19433745, 16794240, 14301592, 13338048, 12938841, 12620823, 12656535

21031411, 12678920, 13719292, 14488943, 14062792, 16850197, 14791477 13807411, 16794238,

13250244, 12594032, 15862022, 14098509, 15826962 12612118, 9761357, 18096714, 19854461,

14053457, 18436647, 13918644 13527323, 18173595, 12797620, 10625145, 19289642, 15862020,

13910420 12780098, 13696216, 14774091, 10263668, 14841558, 13849733, 16794242 16944698,

15862023, 16056266, 13834065, 20134035, 13853654, 14351566 13723052, 18173593, 14063280,

13011409, 13566938, 13737888, 13624984 16024441, 17333199, 13914613, 17540582, 14258925,

14222403, 14755945 13645875, 12571991, 13839641, 14664355, 12998795, 14469008, 13719081

13361350, 20657441, 14188650, 17019974, 13742433, 14508968, 16314469 16368108, 12905058,

6690853, 13647945, 16212405, 12849688, 18641451 13742435, 13464002, 18681866, 12879027,

13534412, 18522512, 12585543 12747740, 12535346, 13878246, 13790109, 16382448, 12588744,

13916549 13786142, 12847466, 13855490, 13551402, 12582664, 19972199, 13871316 14262913,

API Version 2014-10-31

369

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.4.v1

14657740, 17332800, 14558880, 14695377, 13612575, 12912137 19699191, 13484963, 12387467,

14163397, 17437634, 13772618, 19006849 16694777, 13070939, 15994107, 12391034, 14369664,

13605839, 12588237 16279211, 16314467, 12945879, 15901852, 12976376, 17762296, 14692762

7276499, 12755231, 13680405, 13742437, 14589750, 14318397, 11868640 14644185, 13326736,

19309466, 13596521, 20558005, 13001379, 12898558 13099577, 17752121, 13911711, 9873405,

18673325, 16372203, 16344758 11715084, 9547706, 16231699, 14040433, 12662040, 12617123,

14406648 17748832, 16530565, 12845115, 16844086, 13354082, 17748834, 13794550 13397104,

19537916, 13913630, 16524926, 16462834, 12983611, 13550185 13810393, 14121009, 13065099,

11840910, 13903046, 15862017, 13572659 16294378, 13718279, 13657605, 17716305, 14480676,

13632717, 14668670 14063281, 14158012, 13736413, 13420224, 13812031, 12646784, 16299830

18440047, 14512189, 10359307, 12755116, 14035825, 17230530, 13616375 13366199, 13427062,

18673342, 12861463, 15862021, 13092220, 17721717 13043012, 16619892, 13685544, 18325460,

13499128, 15862018, 13839336 19727057, 13866372, 13561750, 12718090, 13848402, 13725395,

12401111 5144934, 12796518, 13362079, 12917230, 12614359, 14408859, 13042639 13923374,

11732473, 14220725, 12621588, 13524899, 14480674, 14751895 13916709, 14781609, 14076523,

15905421, 12731940, 13343438, 14205448 17748835, 15853081, 17082364, 14127231, 14273397,

16844448, 14467061 20331945, 12971775, 16864562, 20074391, 14489591, 14497307, 13872868

12748538, 10242202, 20803576, 14230270, 13931044, 13686047, 16382353 14095982, 17333203,

19121548, 13591624, 14523004, 13440516, 16794241 13499412, 13035360, 14062795, 12411746,

13040943, 12905053, 13843646 18173592, 20296213, 16794243, 13477790, 14841409, 14609690,

14062797 13059165, 12959852, 12345082, 16703112, 13890080, 17333198, 16048375 16450169,

12658411, 13780035, 14062793, 19271438, 19259446, 13038684 18740215, 16742095, 13742464,

14052474, 13066936, 13060271, 13911821 13457582, 7509451, 19710542, 13791364, 12821418,

13502183, 13705338 15856660, 14237793, 16794239, 21031414, 13554409, 15862024, 13103913

13645917, 12772404

Database Engine Version: 11.2.0.4.v1

What's New in Version 11.2.0.4.v1

This version adds support for the following:

Creating New Directories in the Main Data Storage Space (for version 11.2.0.4.v1 and later) (p. 324)

• Oracle PSU 11.2.0.4.1

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.4.1

(January2014)

Bugs fixed: 17432124, 16850630, 17551709, 13944971, 17811447, 13866822, 17811429, 16069901

16721594, 17443671, 17478514, 17612828, 17610798, 17239687, 17501491 17446237, 16450169,

17811438, 17288409, 17811456, 12905058, 17088068 16285691, 17332800

Database Engine Version: 11.2.0.4.v2 (Deprecated)

What's New in Version 11.2.0.4.v2

This version adds support for the following:

• Oracle Database Patch Set Update (PSU) 11.2.0.4.3 (patch 18522509, released July 2014)

• User access to DBMS_TRANSACTION package to clean-up failed distributed transactions

• Latest DST file (DSTv22 – patch 18759211, released in June 2014). This patch is incorporated by default only in new Oracle DB instances.

• Grants DBMS_REPUTIL to DBA role (upgrade to 11.2.0.4 revokes it from public)

API Version 2014-10-31

370

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.4.v3

• Privileges granted on DBMS_TRANSACTION, v$pending_xatrans$

, and v$xatrans$

• Resolves a problem with DDL commands when user objects have “SYSTEM” in their names

• Installs schema objects to support XA Transactions, allowing transactions to be managed by an external transaction manager

• Permits truncation of temporary SYS and SYSTEM objects, allowing tools like LogMiner to function correctly

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.4.3

(July2014)

Bugs fixed: 17432124, 18759211, 18522509, 18031668, 17478514, 17752995, 17288409, 16392068,

17205719, 17811429, 17767676, 17614227 17040764, 17381384, 17754782, 17726838, 13364795,

17311728, 17389192 17006570, 17612828, 17284817, 17441661, 13853126, 17721717, 13645875

18203837, 17390431, 16542886, 16992075, 16043574, 17446237, 16863422 14565184, 17071721,

17610798, 17468141, 17786518, 17375354, 17397545 18203838, 16956380, 17478145, 16360112,

17235750, 17394950, 13866822 17478514, 17027426, 12905058, 14338435, 16268425, 13944971,

18247991 14458214, 16929165, 17265217, 13498382, 17786278, 17227277, 17546973 14054676,

17088068, 16314254, 17016369, 14602788, 17443671, 16228604 16837842, 17332800, 17393683,

13951456, 16315398, 18744139, 17186905 16850630, 17437634, 19049453, 17883081, 15861775,

17296856, 18277454 16399083, 16855292, 18018515, 10136473, 16472716, 17050888, 17865671

17325413, 14010183, 18554871, 17080436, 16613964, 17761775, 16721594 17588480, 17551709,

17344412, 18681862, 15979965, 13609098, 18139690 17501491, 17239687, 17752121, 17602269,

18203835, 17297939, 17313525 16731148, 17811456, 14133975, 17600719, 17385178, 17571306,

16450169 17655634, 18094246, 17892268, 17165204, 17011832, 17648596, 16785708 17477958,

16180763, 16220077, 17465741, 17174582, 18522509, 16069901 16285691, 17323222, 18180390,

17393915, 16875449, 18096714, 17238511

Database Engine Version: 11.2.0.4.v3

What's New in Version 11.2.0.4.v3

This version adds support for the following:

• Oracle Database Patch Set Update (PSU)11.2.0.4.4 (patch 19121551, released in October 2014)

• Latest DST file (DSTv23 – patch 19396455, released in Oct 2014). This patch is incorporated by default in new instances only.

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.4.4

(October2014)

Bugs fixed: 19396455, 18759211, 17432124, 16799735, 17288409, 17205719, 17811429, 17754782,

17726838, 13364795, 17311728 17284817, 17441661, 13645875, 18199537, 16992075, 16542886,

17446237 14565184, 17071721, 17610798, 17375354, 17449815, 17397545, 19463897 18230522,

17235750, 16360112, 13866822, 17982555, 17478514, 12905058 14338435, 13944971, 16929165,

12747740, 17546973, 14054676, 17088068 18264060, 17343514, 17016369, 17042658, 14602788,

14657740, 17332800 19211724, 13951456, 16315398, 17186905, 18744139, 16850630, 17437634

19049453, 18673304, 17883081, 18641419, 17296856, 18262334, 17006183 18277454, 17232014,

16855292, 10136473, 17705023, 17865671, 18554871 19121551, 17588480, 17551709, 17344412,

17842825, 18681862, 17390160 13955826, 13609098, 18139690, 17501491, 17239687, 17752121,

17299889 17602269, 18673325, 17313525, 17242746, 19544839, 17600719, 18191164 17571306,

19466309, 17951233, 18094246, 17165204, 17011832, 17040527 16785708, 16180763, 17477958,

17174582, 17465741, 18522509, 17323222 19463893, 16875449, 16524926, 17237521, 17596908,

API Version 2014-10-31

371

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.4.v4

17811438, 17811447 18031668, 16912439, 16494615, 18061914, 17545847, 17082359, 19554106

17614134, 17341326, 17891946, 19458377, 17716305, 17752995, 16392068 19271443, 17767676,

17614227, 17040764, 17381384, 18973907, 18673342 14084247, 17389192, 17006570, 17612828,

17721717, 13853126, 18203837 17390431, 17570240, 14245531, 16043574, 16863422, 19727057,

17468141 17786518, 17037130, 17267114, 18203838, 16198143, 16956380, 17478145 14829250,

17394950, 17027426, 16268425, 18247991, 19584068, 14458214 18436307, 17265217, 13498382,

16692232, 17786278, 17227277, 16042673 16314254, 17443671, 16228604, 16837842, 17393683,

17787259, 18009564 15861775, 16399083, 18018515, 16472716, 17050888, 14010183, 17325413

16613964, 17080436, 17036973, 17761775, 16721594, 18280813, 15979965 18203835, 17297939,

16731148, 17811456, 14133975, 17385178, 17586955 16450169, 17655634, 9756271, 17892268,

17648596, 16220077, 16069901 11733603, 16285691, 17587063, 18180390, 17393915, 18096714,

17238511 17824637, 14285317, 19289642, 14764829, 18328509, 17622427, 16943711 17346671,

18996843, 14852021, 17783588, 16618694, 17672719, 17546761

Database Engine Version: 11.2.0.4.v4

What's New in Version 11.2.0.4.v4

This version adds support for the following:

• Oracle Database Patch Set Update : 11.2.0.4.6 (patch 20299013, released April 2015)

• Installs additional Oracle Text knowledge bases from Oracle Database. Examples media (English and

French)

• Provides access to DBMS_REPAIR through RDSADMIN.RDSADMIN_DBMS_REPAIR

• Grants ALTER DATABASE LINK, ALTER PUBLIC DATABASE LINK, EXEMPT ACCESS POLICY,

EXEMPT IDENTITY POLICY, and EXEMPT REDACTION POLICY to master user

Baseline: Oracle Database Patch Set Update (PSU) 11.2.0.4.6

(April2015)

Bugs fixed: 17288409, 17798953, 18273830, 18607546, 17811429, 17205719, 20506699 17816865,

19972566, 17922254, 17754782, 16384983, 17726838, 13364795 16934803, 17311728, 17284817,

17441661, 17360606, 13645875, 18199537 16992075, 16542886, 17446237, 14015842, 17889549,

14565184, 19972569 17071721, 20299015, 17610798, 17375354, 17449815, 17397545, 19463897

18230522, 13866822, 17235750, 17982555, 16360112, 18317531, 17478514 19769489, 12905058,

14338435, 18235390, 13944971, 18641451, 20142975 17811789, 16929165, 18704244, 12747740,

18430495, 20506706, 17546973 14054676, 17088068, 17346091, 18264060, 17016369, 17042658,

17343514 14602788, 19972568, 19680952, 18471685, 19788842, 18508861, 14657740 17332800,

19211724, 13837378, 13951456, 16315398, 17186905, 18744139 19972564, 16850630, 18315328,

17437634, 19049453, 18673304, 17883081 19006849, 19915271, 19013183, 18641419, 17296856,

18674024, 18262334 17006183, 18277454, 16833527, 17232014, 16855292, 10136473, 17762296

14692762, 17705023, 18051556, 17865671, 17852463, 18554871, 17853498 19121551, 18334586,

19854503, 17551709, 19309466, 17588480, 19827973 17344412, 17842825, 18828868, 18681862,

18554763, 17390160, 18456514 16306373, 17025461, 13955826, 18139690, 11883252, 13609098,

17501491 17239687, 17752121, 17299889, 17602269, 19197175, 17889583, 18316692 17313525,

18673325, 12611721, 19544839, 18293054, 17242746, 18964939 17600719, 18191164, 19393542,

17571306, 18482502, 19466309, 17951233 17649265, 18094246, 19615136, 17040527, 17011832,

17165204, 18098207 16785708, 16870214, 17465741, 16180763, 17174582, 17477958, 12982566

16777840, 18522509, 20631274, 16091637, 17323222, 19463893, 16595641 16875449, 12816846,

16524926, 17237521, 18228645, 18282562, 17596908 19358317, 17811438, 17811447, 17945983,

18762750, 17156148, 18031668 16912439, 17184721, 16494615, 18061914, 17282229, 17545847,

18331850 18202441, 17082359, 18723434, 19554106, 17614134, 13558557, 17341326 14034426,

17891946, 18339044, 17716305, 19458377, 17752995, 16392068 19271443, 17891943, 18092127,

17258090, 17767676, 16668584, 18384391 17614227, 17040764, 16903536, 17381384, 14106803,

API Version 2014-10-31

372

Amazon Relational Database Service User Guide

Database Engine Version: 11.2.0.4.v5

15913355, 18973907 18356166, 18673342, 17389192, 14084247, 16194160, 17612828, 17006570

20506715, 17721717, 13853126, 17390431, 18203837, 17570240, 14245531 16043574, 16863422,

17848897, 17877323, 18325460, 19727057, 17468141 17786518, 17912217, 16422541, 19972570,

17267114, 17037130, 18244962 18765602, 18203838, 18155762, 16956380, 16198143, 17246576,

17478145 17394950, 14829250, 18189036, 18641461, 18619917, 17835627, 17027426 16268425,

18247991, 19584068, 14458214, 18436307, 17265217, 17634921 13498382, 16692232, 17786278,

17227277, 16042673, 16314254, 17443671 18000422, 16228604, 16837842, 17571039, 17393683,

16344544, 1778