If RDSADMIN is created by AWS, can Amazon actually access our database and data?

Question

I created a new DB instance on AWS RDS. It created a default database as RDSADMIN. I created another DB for my project.

But my question is: can Amazon directly access my new DB data technically?

Answer 1

Since Amazon can (and does) run modified versions of database server software, nothing technically prevents them from accessing all of you data. In-place and in-transit encryption does not matter as the data has to be decrypted on the server for SQL processing. The only technical way to guarantee that you data cannot be accessed by Amazon is to use client-side encryption on individual fields (which, of course, cannot be easily used for SQL query conditions afterwards).

That being said, there are legal and reputational restraints that prevent Amazon from doing that. However, those restraints do not cover cases where Amazon is required by law to provide access to you data to government agencies.

Answer 2

Technically they can but doesn't mean they do. An addition, everyone can use own master key for encryption in-place/in-transit.

you can choose to encrypt the data stored on your Amazon RDS DB instance under a customer master key (CMK) in AWS KMS

See: https://docs.aws.amazon.com/kms/latest/developerguide/services-rds.html