undefined | Better HN

0 pointsfailTide2y ago0 comments

you'd still be exposing the database system itself to the public regardless of the credentials you were using for the email service, as opposed to keeping it all within a VPC which seems to be what most guides recommend.

I assume the difference would be that having your database exposed presents additional surface area for attacks. A rube-goldberg style setup probably presents its own risks, but personally I just use AWS SES for my transactional/marketing emails and it's a one-way pipe that doesn't present any significant risks as far as I can see.

0 comments

3 comments · 1 top-level

8organicbits2y ago· 2 in thread

Using a public facing database, but using an IP address allow-list to restrict access is pretty secure. cc should publish the IP addresses they use.

kashnote2y ago

It’s listed on the Data page! No need to open the database up to the whole internet. Just whitelist one IP.

sakopov2y ago

Doesn't matter. The database still is on a public subnet on customer's network. All it takes is for someone to jack up some kind of white list or access rule and the entire database is exposed. It's an attack vector. You can't do this nearly as easily when the database is in a private subnet w/ no access to internet.

4 more replies

j / k navigate · click thread line to collapse