# How to Access a Secured Database Server

Accessing a secured database server happens in **multiple security layers**, *before* any query is executed.

---

## 1. Network-Level Access (First Gate)
Controls **who can reach the database server**.

**Common mechanisms**
- Private network (VPC / VNet)
- Firewall / Security Groups
- IP whitelisting
- VPN or Bastion (Jump) Host

**Example flow**
```
User → VPN → Bastion Host → Private DB Server
```


---

## 2. Server Authentication (Second Gate)
Verifies the **identity of the user or service** accessing the server.

**Common methods**
- SSH key authentication
- Cloud IAM roles
- TLS certificates
- Kerberos / Active Directory

**Example**
```bash
ssh -i prod-key.pem dbadmin@10.0.2.15
```

---

## 3. Database Authentication (Third Gate)
The database engine validates credentials.

**Methods**
- Username & password
- Certificate-based authentication
- IAM token-based login
- LDAP / Active Directory integration

**Example**
```bash
psql -h db.internal -U analytics_user -d sales_db
```

---

## 4. Authorization & Roles (Fourth Gate)
Controls what actions the user can perform.

**Controls**
- Roles and privileges
- Schema-level permissions
- Row-Level Security (RLS)

**Example**
```bash
GRANT SELECT ON orders TO analytics_user;
```

---

## 5. Encryption (Always Enforced)
Protects data in transit and at rest.

**Encryption types**
- TLS/SSL for data in transit
- Disk-level encryption (AES-256) for data at rest

**Example**
```bash
psql "sslmode=require host=db.internal dbname=sales"
```

---

## 6. Auditing & Monitoring (Final Layer)
Tracks all access and activity for security and compliance.

**Monitored events**
- Login attempts (success/failure)
- Query execution
- Permission changes

**Common tools**
- Database audit logs
- Cloud monitoring (CloudWatch, Azure Monitor)
- SIEM tools (Splunk, ELK)



---

# Secure Access Flow (Summary)

```bash
User
 ↓
VPN / IP Whitelist
 ↓
Firewall / Security Group
 ↓
Server Authentication (SSH / IAM / TLS)
 ↓
Database Authentication
 ↓
Role & Permission Check
 ↓
Encrypted Query Execution
 ↓
Audit Logs

```