databasesCLF-C02SAA-C03SAP-C02DEA-C01DOP-C02+1 more

Amazon RDS: The Managed Relational Database Powerhouse

Fully managed relational databases so you focus on queries, not infrastructure

Updated 2026-02-21

Overview

Amazon RDS (Relational Database Service) is a fully managed service that makes it easy to set up, operate, and scale relational databases in the cloud. It automates time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups across six popular database engines: MySQL, MariaDB, PostgreSQL, Oracle, Microsoft SQL Server, and Amazon Aurora. RDS is a destination service for running structured, relational workloads — not a migration tool — and integrates deeply with the AWS ecosystem for high availability, security, and performance.

Run production-grade relational databases without managing the underlying OS, patching, backups, or replication infrastructure — freeing teams to focus on application logic and data modeling.

Use When

You need a traditional relational (SQL) database with ACID compliance for transactional workloads (e-commerce, ERP, CRM)
You want automated backups, Multi-AZ failover, and read replicas without building that infrastructure yourself
You are migrating an on-premises Oracle, SQL Server, MySQL, or PostgreSQL database to AWS and want a like-for-like managed destination
You need a highly available, scalable OLTP backend for web or mobile applications with predictable query patterns
You require compliance-grade encryption at rest and in transit with fine-grained IAM and VPC network controls

Avoid When

Massive-scale OLAP / data warehousing workloads — use Amazon Redshift, which is purpose-built for columnar analytics at petabyte scale
Key-value, document, graph, time-series, or wide-column NoSQL data models — use Amazon DynamoDB, DocumentDB, Neptune, Timestream, or Keyspaces respectively
Extremely high write throughput with near-infinite horizontal scaling — consider Amazon Aurora Serverless v2 or DynamoDB; RDS vertical scaling has instance-size limits
Storing and querying large binary objects (images, videos) — use Amazon S3 with RDS storing only metadata references
Fully serverless, event-driven microservices that need a database with zero idle cost and millisecond cold starts — Aurora Serverless v2 or DynamoDB better fit that model

Key Features

Multi-AZ Deployment (Standard)

Synchronous standby in a second AZ; automatic failover; standby is NOT readable

Multi-AZ DB Cluster (2 readable standbys)

Available for MySQL and PostgreSQL; 3 AZs; faster failover (~35s); standbys ARE readable

Read Replicas (up to 5 per source)

Asynchronous replication; can be promoted to standalone; cross-region supported

Automated Backups & PITR

Retention 1–35 days; restores to any second within the retention window

Manual DB Snapshots

Retained indefinitely; can be shared across accounts; can be copied cross-region

Encryption at Rest (AES-256 via KMS)

Must be enabled at creation; cannot be added to an existing unencrypted instance without snapshot restore

Encryption in Transit (SSL/TLS)

Supported for all engines; can be enforced via parameter groups or SSL require flags

IAM Database Authentication

Supported for MySQL and PostgreSQL only; uses short-lived auth tokens instead of passwords

RDS Proxy

Connection pooling; reduces Lambda/serverless connection storms; supports IAM auth and Secrets Manager

Performance Insights

Free 7-day retention; paid long-term retention; identifies top SQL waits and load

Enhanced Monitoring

OS-level metrics at 1-second granularity; uses CloudWatch Logs

Storage Auto Scaling

Automatically scales storage when free space is low; set a maximum threshold

RDS Custom

Oracle and SQL Server only; provides OS/engine-level access for specialized configurations

Blue/Green Deployments

Safe, low-downtime upgrades; creates a staging environment with replication from production

Cross-Region Read Replicas

Supported for MySQL, MariaDB, PostgreSQL, Oracle, and Aurora; useful for DR and global read scaling

VPC Support

All new RDS instances run in VPC; EC2-Classic is retired

Event Notifications (SNS)

Subscribe to RDS events (failover, backup complete, etc.) via SNS topics

Maintenance Windows

Weekly configurable window for minor version upgrades and patching

Reserved Instances (1-year, 3-year)

Significant savings vs On-Demand; available in Standard and Convertible types

Oracle BYOL (Bring Your Own License)

Use existing Oracle licenses on RDS; license-included also available at higher cost

SQL Server BYOL

Bring existing SQL Server licenses via License Mobility through Software Assurance

Database Activity Streams

Near-real-time stream of database activity to Kinesis Data Streams for audit and compliance

Kerberos Authentication

Supported for Oracle, SQL Server, MySQL, PostgreSQL via AWS Managed Microsoft AD

Secrets Manager Integration

Automatic rotation of database credentials; works with RDS Proxy for seamless rotation

CloudTrail Integration

API-level audit logging for RDS management operations (not SQL-level; use Database Activity Streams for that)

Graviton2/Graviton3 Instance Support

ARM-based instances offer better price-performance for many RDS workloads

Integration Patterns

Read-Through / Cache-Aside Caching

high freq

Amazon RDSAmazon ElastiCache

Place ElastiCache (Redis or Memcached) in front of RDS to cache frequently read query results. Reduces RDS read load and latency for hot data. Cache-aside: application checks cache first; on miss, reads from RDS and populates cache. Critical for high-traffic OLTP applications. Redis preferred for persistence, TTL, and complex data structures.

Traditional 3-Tier Web Application Backend

high freq

Amazon RDSAmazon EC2

EC2 instances in an Auto Scaling group (app tier) connect to RDS in a private subnet. Security groups restrict DB access to only the app tier's SG. RDS Multi-AZ provides HA; Read Replicas offload reporting queries. This is the canonical AWS web application architecture.

Serverless Application with RDS Proxy

high freq

Amazon RDSAWS Lambda

Lambda functions connecting directly to RDS can exhaust database connection limits due to Lambda's ephemeral, high-concurrency nature. RDS Proxy pools and reuses connections, preventing connection storms. Lambda → RDS Proxy → RDS. RDS Proxy also integrates with Secrets Manager for credential rotation without Lambda code changes.

Backup Export and Data Import/Export

high freq

Amazon RDSAmazon S3

RDS snapshots can be exported to S3 in Apache Parquet format for analytics. MySQL/PostgreSQL support native S3 import/export for bulk data loading. Oracle supports Data Pump export to S3. S3 serves as the durable, cost-effective staging layer for ETL pipelines feeding RDS.

Migration Path: RDS to Aurora

high freq

Amazon RDSAmazon Aurora

Standard RDS MySQL or PostgreSQL instances can be migrated to Aurora by creating an Aurora Read Replica of the RDS instance, then promoting it. This provides a near-zero-downtime migration path. Aurora offers better performance, up to 15 read replicas, and storage auto-scaling to 128 TiB.

Polyglot Persistence (RDBMS + NoSQL)

high freq

Amazon RDSAmazon DynamoDB

Use RDS for structured transactional data (orders, accounts) and DynamoDB for high-velocity, schema-flexible data (session state, user preferences, IoT events). Application routes writes to the appropriate store based on data characteristics. Common in microservices architectures.

Automatic Credential Rotation

high freq

Amazon RDSAWS Secrets Manager

Secrets Manager stores and automatically rotates RDS master user passwords on a configurable schedule. Applications retrieve credentials via Secrets Manager API rather than hardcoding. RDS Proxy natively integrates with Secrets Manager so credential rotation is transparent to connection pool.

Monitoring, Alerting, and Operational Visibility

high freq

Amazon RDSAmazon CloudWatch

RDS publishes metrics to CloudWatch (CPU, FreeStorageSpace, DatabaseConnections, ReadLatency, WriteLatency, etc.). Set CloudWatch Alarms for threshold breaches. Enhanced Monitoring adds OS-level metrics. Performance Insights adds SQL-level wait analysis. EventBridge routes RDS events (failover, backup) to Lambda or SNS.

Homogeneous and Heterogeneous Database Migration

high freq

Amazon RDSAWS Database Migration Service

AWS DMS migrates data TO RDS from on-premises, EC2-hosted, or other cloud databases. For heterogeneous migrations (e.g., Oracle → PostgreSQL), use AWS Schema Conversion Tool (SCT) first to convert the schema, then DMS to migrate data. RDS is the destination — it is NOT a migration tool itself.

Database Activity Streams for Compliance Audit

high freq

Amazon RDSAmazon Kinesis Data Streams

Database Activity Streams push a near-real-time stream of database activity (DDL, DML, login events) to Kinesis Data Streams. Downstream consumers (Lambda, Kinesis Data Firehose → S3) archive and analyze activity for compliance (PCI-DSS, SOC, HIPAA). This is separate from CloudTrail, which only captures API-level management events.

Service Limits & Quotas

LimitValueNote

Maximum DB instances per account (per Region)

40 instances

Historically this was lower (10 for Oracle/SQL Server). The current default is 40 total across all engines combined; candidates often think it is per-engine.

Maximum Read Replicas per source DB instance (MySQL, MariaDB, PostgreSQL)

5 replicas

Aurora's 15-replica limit is frequently confused with RDS's 5-replica limit. They are different services with different limits.

Maximum storage per DB instance (General Purpose and Provisioned IOPS)

64 TiB TiB

Aurora storage auto-scales to 128 TiB; standard RDS engines cap at 64 TiB. Do not conflate the two.

Maximum storage per DB instance (SQL Server)

16 TiB TiB

SQL Server on RDS has a lower max storage than other RDS engines — a frequently missed distinction.

Maximum number of databases per DB instance (SQL Server)

100 databases

SQL Server has a hard cap on the number of user databases per instance. For multi-tenant architectures needing hundreds of databases, consider separate instances or a different engine.

Maximum automated backup retention period

35 days

Many candidates confuse automated backup retention (max 35 days) with manual snapshot retention (indefinite). They are fundamentally different mechanisms.

Minimum automated backup retention period to enable PITR

1 day

Point-in-time recovery (PITR) requires automated backups to be enabled (retention ≥ 1 day). Setting retention to 0 disables PITR — a critical security/compliance consideration.

Maximum number of tags per RDS resource

50 tags

Standard AWS tagging limit applies to RDS. Tags are used for cost allocation, automation, and access control via tag-based IAM policies.

Maximum number of DB security groups per account (EC2-Classic, legacy)

25 groups

EC2-Classic is retired. Modern RDS deployments use VPC security groups. This limit is rarely tested but appears in legacy scenario questions.

Maximum Provisioned IOPS (io1/io2) per DB instance

80,000 IOPS

The maximum IOPS value has increased over time. Always verify current limits in the AWS console for production sizing.

Maximum storage for Provisioned IOPS (io1)

64 TiB TiB

io1 storage max aligns with the general RDS storage ceiling for supported engines.

RDS Proxy maximum connections reuse

Multiplexes connections; no fixed hard cap on proxied connections

Candidates confuse RDS Proxy connection pooling limits with the database engine's own max_connections parameter, which IS engine/instance-size dependent.

Multi-AZ standby instances

1 (standard Multi-AZ) or up to 2 readable standbys (Multi-AZ DB Cluster) standbys

Many candidates think the Multi-AZ standby is readable — it is NOT in standard Multi-AZ. Only Multi-AZ DB Cluster standbys are readable. Read Replicas (async) are the traditional read-scaling mechanism.

RDS Custom supported engines

Oracle and SQL Server only

Candidates assume RDS Custom supports all engines. It does not — Oracle and SQL Server only.

Maximum number of option groups per account

20 option groups

Option groups are used to enable additional features for certain engines (e.g., Oracle native network encryption, SQL Server TDE). Rarely a bottleneck but good to know for large multi-tenant environments.

Maximum number of parameter groups per account

50 parameter groups per engine

Parameter groups let you tune database engine settings. Each engine family has its own parameter groups. You cannot share parameter groups across engine families.

Pricing Model

Pay-per-use (On-Demand) or Reserved Instances (1-year / 3-year) for compute; storage, I/O, backups, and data transfer billed separately

On-Demand instances: Billed per DB instance-hour consumed (partial hours billed as full hours for older billing; per-second for newer instance types — verify current model)
Reserved Instances (1-year or 3-year): Up to ~69% savings vs On-Demand; available as All Upfront, Partial Upfront, or No Upfront payment options
Storage: Charged per GB-month for gp2, gp3, io1, io2, or Magnetic storage types; gp3 allows independent IOPS/throughput provisioning without paying for more storage
Provisioned IOPS: Charged per IOPS-month in addition to storage GB-month; io1 charges per IOPS provisioned regardless of actual usage
Automated Backup Storage: Free up to 100% of provisioned database storage; excess charged per GB-month
Manual Snapshots: Charged per GB-month for all storage consumed; no free tier
Data Transfer: Intra-region between RDS and EC2 in the same AZ is free; cross-AZ and cross-region data transfer incurs standard AWS data transfer charges
RDS Proxy: Charged per vCPU of the underlying DB instance per hour; adds cost but reduces Lambda/serverless connection overhead
Multi-AZ: Roughly doubles compute and storage costs (standby instance + mirrored storage)
Read Replicas: Billed at the same On-Demand rate as the source instance; cross-region replicas also incur data transfer charges
Performance Insights: 7-day retention is free; longer retention periods (up to 2 years) are charged per vCPU per month
Free Tier: 750 hours/month of db.t3.micro or db.t4g.micro (MySQL, MariaDB, or PostgreSQL) + 20 GB gp2 storage + 20 GB backup storage for 12 months

Exam Tips

criticalMulti-AZ vs Read Replicas

Multi-AZ standby is NOT readable. If a question asks how to scale reads, the answer is Read Replicas (async) — not Multi-AZ. Multi-AZ is for high availability and automatic failover only. The only exception is Multi-AZ DB Cluster (MySQL/PostgreSQL), which has 2 readable standbys.

criticalDMS + SCT + RDS migration architecture

RDS is a DESTINATION for migration, not a migration tool. AWS DMS migrates data TO RDS. AWS SCT converts schemas. RDS itself does not perform any migration. If a question asks 'what migrates data,' the answer is DMS — not RDS.

criticalRDS Encryption at Rest

Encryption must be enabled at DB instance creation time. You CANNOT enable encryption on an existing unencrypted RDS instance directly. The correct process is: create an encrypted snapshot from the unencrypted instance → restore a new encrypted instance from that snapshot → update your application endpoint. This multi-step process is frequently tested.

criticalAurora vs RDS Read Replicas

Aurora supports up to 15 read replicas; standard RDS engines (MySQL, MariaDB, PostgreSQL) support up to 5. When a scenario requires massive read scaling beyond 5 replicas, Aurora is the correct answer. Aurora also uses a shared storage volume (not replication), so replicas have near-zero replication lag.

criticalAutomated Backups and PITR

Setting automated backup retention to 0 disables automated backups AND point-in-time recovery. For any compliance or DR scenario requiring PITR, retention must be ≥ 1 day. Manual snapshots are NOT a substitute for PITR — they only restore to the exact snapshot point.

critical

Multi-AZ ≠ Read Scaling. Multi-AZ standby is passive (no reads, no writes). Use Read Replicas for read scaling. This distinction is tested on EVERY certification level.

critical

RDS is a migration DESTINATION. DMS moves data TO RDS. SCT converts schemas. RDS itself does zero migration. 'What migrates data?' = DMS. 'What converts schema?' = SCT.

critical

To encrypt an existing unencrypted RDS instance: Snapshot → Copy snapshot with KMS encryption → Restore new encrypted instance. You cannot encrypt in-place by modifying the instance.

importantRDS Proxy + Lambda integration

RDS Proxy is the correct answer for Lambda-to-RDS connectivity at scale. Lambda's concurrency model creates many short-lived connections that can exhaust RDS max_connections. RDS Proxy pools connections and integrates with Secrets Manager and IAM. Without RDS Proxy, Lambda at high concurrency will cause 'too many connections' errors.

importantIAM DB Auth

IAM Database Authentication is only supported for MySQL and PostgreSQL on RDS (and Aurora). It is NOT supported for Oracle, SQL Server, or MariaDB. It uses short-lived authentication tokens (15-minute TTL) generated via the AWS SDK — no static password needed.

importantRDS Custom

RDS Custom is ONLY for Oracle and SQL Server. It provides OS and engine-level access for scenarios requiring custom agents, third-party monitoring tools, or specialized configurations not possible in standard managed RDS. For MySQL/PostgreSQL customization needs, use EC2-hosted databases instead.

importantRead Replica promotion

Read Replicas can be promoted to standalone DB instances (useful for disaster recovery). They use asynchronous replication, so there may be replication lag. A promoted Read Replica is no longer a replica — it becomes an independent DB instance. This promotion is irreversible.

importantDatabase Activity Streams vs CloudTrail

Database Activity Streams (DAS) provide SQL-level audit trails to Kinesis — CloudTrail only captures RDS API management calls (create, delete, modify instance), NOT SQL queries. For compliance scenarios requiring query-level auditing, the answer is Database Activity Streams, not CloudTrail.

importantRDS Storage Types

gp3 storage is almost always more cost-effective than gp2 for RDS. With gp3, you can independently provision IOPS and throughput without increasing storage size. With gp2, IOPS scale with storage (3 IOPS/GB), forcing you to over-provision storage to get more IOPS.

importantBlue/Green Deployments

Blue/Green Deployments in RDS enable safe, low-downtime major version upgrades and schema changes. The 'green' environment is a staging copy with continuous replication from 'blue' (production). After validation, you switch over (typically under 1 minute). This is the recommended approach for zero-downtime upgrades on SAA-C03 and DOP-C02.

Good to KnowCross-Region Read Replicas

Cross-region Read Replicas serve two purposes: (1) global read scaling for geographically distributed users, and (2) cross-region disaster recovery (promote the replica if the primary region fails). Cross-region replicas incur data transfer charges and have higher replication lag than same-region replicas.

Good to KnowRDS Storage Auto Scaling

Storage Auto Scaling prevents 'out of storage' outages by automatically increasing storage when free space is critically low. You set a maximum storage threshold. It does NOT scale down — RDS storage can only grow, not shrink. To reduce storage, you must restore from a snapshot to a smaller instance.

Common Misconceptions & Traps

Common Mistake

Multi-AZ standby instances can serve read traffic, reducing load on the primary.

Correct

Standard Multi-AZ standby instances are completely passive and do NOT serve any read or write traffic. They exist solely for automatic failover. Only Multi-AZ DB Cluster (MySQL and PostgreSQL only, newer feature) provides readable standbys. Read Replicas (async) are the correct mechanism for read scaling.

This is the #1 RDS misconception on all certification levels. Questions will describe a read-scaling problem and offer 'enable Multi-AZ' as a distractor. Always choose Read Replicas for reads, Multi-AZ for HA. If you see 'readable standby,' that is Multi-AZ DB Cluster — a distinct feature.

Common Mistake

RDS is a migration tool — you use RDS to migrate databases from on-premises to AWS.

Correct

RDS is a DESTINATION service, not a migration tool. AWS Database Migration Service (DMS) is used to migrate data TO RDS. AWS Schema Conversion Tool (SCT) converts schemas before heterogeneous migrations. RDS simply hosts the database after migration is complete.

Exam questions frequently test the DMS + SCT + RDS architecture. A common trap is asking 'which service migrates data to RDS?' — the answer is DMS, not RDS. SCT handles schema conversion only (not data movement). Remember: SCT = Schema, DMS = Data Movement.

Common Mistake

You can enable encryption on an existing unencrypted RDS database instance by modifying the instance settings.

Correct

You CANNOT directly enable encryption on a running unencrypted RDS instance. The only supported path is: (1) Take a snapshot of the unencrypted instance, (2) Copy the snapshot with encryption enabled (selecting a KMS key), (3) Restore a new encrypted DB instance from the encrypted snapshot, (4) Update application connection strings to the new endpoint.

This appears on SAA-C03 and DOP-C02 as a 'how do you encrypt an existing unencrypted database' scenario. The multi-step snapshot-copy-restore process is the only answer. Candidates who don't know this will incorrectly choose 'modify the instance to enable encryption.'

Common Mistake

AWS SCT (Schema Conversion Tool) migrates both the schema AND the data from source to target database.

Correct

AWS SCT converts only the database schema (DDL: tables, views, stored procedures, functions) from one engine to another. It does NOT move any data. AWS DMS is required to migrate the actual data. SCT and DMS are complementary tools used together for heterogeneous migrations.

This misconception appears directly in the question bank data as a top exam trap. Remember the division: SCT = Schema Conversion Tool (structure only), DMS = Database Migration Service (data movement). You need both for heterogeneous migrations.

Common Mistake

RDS automated backups and manual snapshots work the same way and can substitute for each other.

Correct

Automated backups enable point-in-time recovery (PITR) to any second within the retention window (1–35 days) and are automatically deleted when the retention period expires or the instance is deleted. Manual snapshots capture the DB at a specific moment, are retained indefinitely, can be shared across accounts and copied cross-region, but do NOT enable PITR between snapshot points.

A scenario asking for 'restore to 3 hours ago' requires automated backups (PITR). A scenario asking for 'long-term archival of the database state before a major release' requires a manual snapshot. Confusing the two leads to wrong answers on backup/recovery questions.

Common Mistake

Enabling RDS Multi-AZ doubles performance because you now have two database instances.

Correct

Standard Multi-AZ does NOT improve performance. The standby is completely passive and handles zero traffic. Multi-AZ is purely a high-availability feature that provides automatic failover (typically 1–2 minutes) if the primary fails. It does increase cost (roughly 2x) but provides zero read performance benefit.

Cost-optimization questions may ask 'which of these provides HA without performance benefit' — Multi-AZ is the answer. Performance improvement requires Read Replicas or ElastiCache. Multi-AZ = availability, Read Replicas = scalability.

Common Mistake

RDS for Oracle and SQL Server support the same maximum storage as MySQL and PostgreSQL (64 TiB).

Correct

SQL Server on RDS has a maximum storage of 16 TiB, which is significantly lower than the 64 TiB maximum for MySQL, MariaDB, PostgreSQL, and Oracle. Large SQL Server workloads approaching this limit may need to be redesigned or migrated to a different engine.

Engine-specific limits are tested on SAA-C03 and SAP-C02. When a scenario describes a large SQL Server database growing toward 16 TiB, the correct architectural response might be migration to Aurora PostgreSQL using SCT + DMS.

Memory Tricks

🧠

MMPOP = MySQL, MariaDB, PostgreSQL, Oracle, PostgreSQL — the 5 RDS engines with up to 5 Read Replicas. Aurora gets 15 (3x more, 3x better).

🧠

Multi-AZ = Availability (HA, failover, passive standby). Read Replicas = Read Scaling (async, active, up to 5). Never mix them up: 'AZ = Availability, RR = Reading'.

🧠

SCT converts the Structure (schema), DMS moves the Data. SCT then DMS — alphabetical order, schema before data.

🧠

Encrypt RDS: Snapshot → Copy (with KMS key) → Restore. Remember 'SCR' — Snapshot, Copy, Restore.

🧠

RDS Proxy = Connection Pool for Lambda. Lambda loves Proxy because Lambda hates holding connections. 'Lambda Proxy = No Connection Sloppiness'.

🧠

Backup retention 0 = No backups AND No PITR. Zero retention = Zero recovery options. Always set ≥ 1 for any production workload.

🧠

RDS Custom = Oracle and SQL Server ONLY. 'Custom needs a Contract' — Oracle and SQL Server are the enterprise engines that need custom OS access.

CertAI Tutor · CLF-C02, SAA-C03, SAP-C02, DEA-C01, DOP-C02, DVA-C02 · 2026-02-21

Ready to test your knowledge?

Practice CLF-C02, SAA-C03, SAP-C02, DEA-C01, DOP-C02, DVA-C02 exam questions with AI-powered explanations — free to start.

Amazon RDS: The Managed Relational Database Powerhouse

Overview

Key Features

Integration Patterns

Service Limits & Quotas

Pricing Model

Exam Tips

Common Misconceptions & Traps

Memory Tricks

Ready to test your knowledge?

Related Cheat Sheets