- 新しい順
- 投票が多い順
- コメントが多い順
For a Lambda, you should consider using an IAM role to allow access rather than Certificate. The certificate is better suited for clients.
Certificates in lambda for mtls usually can be configured using lambda layers. Trust stores could be added to lambda layers in similar approach. Please refer to this sample if its useful for your case - https://github.com/aws-samples/serverless-mutual-tls/blob/main/README.md
This explains the fundamental of SSL handshake. But the requirement here is how does client application be aware of RDS certificate has changed? how does client application download the server CA certificate programmatically.
AHA dashboard should be able to provide the scheduled account notifications w.r.t RDS cert rotation. A workaround could be to build automation around AHA notifications and subscribe for these events as mentioned in blog post architecture - https://aws.amazon.com/blogs/mt/aws-health-aware-customize-aws-health-alerts-for-organizational-and-personal-aws-accounts/ Once a Lambda is able to process the cert rotation operation from above architecture, downloading the new CA cert and updating the client application trust store could be done programmatically as provided in docs - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html#UsingWithRDS.SSL-certificate-rotation-sample-script Hope it helps.
関連するコンテンツ
- 質問済み 4年前
AWS公式更新しました 2年前
IAM role will not encrypt data in transit. We have a security requirement to enable SSL to secure data in transit therefore looking for an appropriate answer.