Identify and rotate your Amazon RDS and Amazon Aurora SSL/TLS Certificates at scale

4 minute read
Content level: Advanced
1

This article describes how to list all DB instances with "rds-ca-2019" across all AWS regions and linked accounts to determine certificate rotation requirement

Why does this matter?

If you use or plan to use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) with certificate verification to connect to your database instances of Amazon RDS for MySQL, MariaDB, SQL Server, Oracle, PostgreSQL, and Amazon Aurora, it means you should rotate new certificate authority (CA) certificates in both your DB instances and client application before the root certificate expires. Most SSL/TLS certificates (rds-ca-2019) for your DB instances will expire in 2024. In December 2022, we released new CA certificates that are valid for 40 years (rds-ca-rsa2048-g1) and 100 years (rds-ca-rsa4096-g1 and rds-ca-ecc384-g1).

Challenges with identifying your impacted Amazon RDS resources at scale

In the blog post Rotate Your SSL/TLS Certificates Now – Amazon RDS and Amazon Aurora Expire in 2024 you can find more details about the expiration dates of rds-ca-2019 per region and several ways how to identify your impacted Amazon RDS resources such as using Certificate update page of the Amazon RDS console or describe-db-instances AWS CLI command. While this approach works great to identify affected resources per single region in a single AWS account, customers who run workloads in many linked-accounts and across multiple regions face challenging with having a consolidated report of affected resources across their entire organization.

This article describes how to list all DB instances with "rds-ca-2019" across all AWS regions and linked accounts to determine certificate rotation requirement

Solution

  1. Deploy Data Collection from Cloud Intelligence Dashboards Framework. Data Collection provides unified and easy to deploy mechanism to automate collection of different types of optimization data across all regions and all linked accounts through AWS APIs and consolidate it in a single Amazon S3 bucket. It includes multiple optional modules deployed as AWS Step Functions which you can select during the deployment, such as Inventory Collector Module which automates execution of describe-db-instances API calls across your entire organization and storing results in a single S3 bucket. To proceed, follow deployment steps with AWS CloudFormation. During the deployment make sure you've marked Include Inventory Collector Module as 'yes'. You can optionally deploy other modules, however for the purpose of this article only Inventory Collector Module is required.

  2. After deployment, Inventory Collector Module Step Function will be triggered and will collect RDS inventory data across your organization in the s3://cid-data-{your_account_id}/inventory/inventory-rds-db-instances-data bucket. After collection is completed AWS Glue Crawler will be triggered and will create a table in the AWS Glue Data Catalog in the optimization_data database. By default Inventory Collector Module will be triggered every 14 days to collect new data.

  3. Query Amazon RDS inventory data with Amazon Athena. Open Amazon Athena and run the following query:

    SELECT dbinstancearn, accountid, max(collection_date), dbinstanceclass, engineversion, region, multiaz, dbinstancestatus,cacertificateidentifier
    FROM "optimization_data"."inventory_rds_db_instances_data"
    WHERE cacertificateidentifier = 'rds-ca-2019'
    GROUP BY 1,2,4,5,6,7,8,9
    ORDER BY max(collection_date) desc
    

    As the result you'll receive report with all your RDS instances with rds-ca-2019 certificate across all regions and all linked accounts in your organization. You can download report as csv and use it in planning certificate upgrade. Enter image description here

  4. Upgrade your CA Certificate by applying maintenance. The Amazon RDS Console provides a dedicated section for Certificate update. After you sign into the AWS Management console, in the left hand navigation pane choose Certificate update. This page lists databases & clusters requiring certificate updates. This page only shows the DB instances and clusters in the current AWS region. You can then choose a database instance to update with either of the two following options:

    • Choose Apply update now to immediately apply the certificate rotation (Note: this might involves downtime depending on the DB engine version used)
    • Choose Schedule to apply the certificate rotation during the next scheduled maintenance window.

    Use the describe-db-engine-versions command and inspect the SupportsCertificateRotationWithoutRestart flag to identify whether the DB engine version supports rotating the certificate without restart. You can find more details in the blog post

References

  1. Blog post - Rotate Your SSL/TLS Certificates Now – Amazon RDS and Amazon Aurora Expire in 2024
  2. Documentation - Rotating your SSL/TLS certificate
profile pictureAWS
EXPERT
published 18 days ago1480 views
2 Comments

great article!

there is also another option to check all your RDS and their certificate - if you use AWS Config, you can leverage AWS Config Advanced Query:

SELECT
  accountId,
  resourceId,
  resourceName,
  tags,
  relationships,
  availabilityZone,
  configuration.cACertificateIdentifier
WHERE
  resourceType = 'AWS::RDS::DBInstance'
  AND configuration.cACertificateIdentifier = 'rds-ca-2019'
profile picture
replied 16 days ago

Thanks for sharing this Martin! Indeed for customers who have Config enabled in all regions and all environments this approach will work very well

profile pictureAWS
EXPERT
replied 15 days ago