How can I turn on SSL on my Aurora PostgreSQL-Compatible DB instance and how can I connect to my instance using SSL certificates?

3 minute read
0

I want to use a Secure Socket Layer (SSL) connection to connect to my Amazon Aurora PostgreSQL-Compatible Edition DB cluster.

Short description

You can encrypt a connection to your Aurora PostgreSQL-Compatible DB cluster from your application with either SSL or Transport Layer Security (TLS). SSL and TLS connections provide a single layer of security for your cluster, and encrypt the data that moves between your client and cluster. For more information, see Using SSL/TLS to encrypt a connection to a DB cluster.

SSL connections must be configured on both the client and server before you make the connection in order to be secure. If SSL is not configured on the server, then the client might send sensitive information like passwords. For more information on how to create an SSL-secured connection, see SSL support on the PostgreSQL website.

The SSL modes for PostgreSQL are:

  • verify-full
  • verify-ca
  • require
  • prefer
  • allow
  • disable

For more information on how to choose the right SSL mode for your use case, see Protection provided in different modes on the PostgreSQL website.

Resolution

Amazon Relational Database Service (Amazon RDS) creates the SSL or TLS certification for your cluster. This occurs when you create your cluster. For more information, see Security with Aurora PostgreSQL.

Connect to your DB cluster over SSL/TLS

  1. Download the SSL/TSL certificate.
  2. Import the certificate into your operating system.
  3. Connect to your Aurora PostgreSQL-Compatible DB cluster over SSL/TLS.
    For example:
    psql -h DBInstance.cluster-Account-Number.eu-west-1.rds.amazonaws.com  -p 5432 "dbname=postgres user=postgres sslrootcert=global-bundle.pem sslmode=verify-full"

When you set rds.force_ssl to 1 (on), your DB instance's pg_hba.conf file is modified to support the new SSL configuration. Use the pg_hba_file_rules view to see the summary of contents of the pg_hba.conf file. The type value in the pg_hba_file_rules view is updated to hostssl after rds.force_ssl is set to 1 (on).

You can require connections to your DB cluster to use SSL/TLS. To do this, use the rds.force_ssl parameter. The rds.force_ssl parameter is set to 0 by default. The 0 value indicates that it's turned off. To turn this parameter on, set rds.force_ssl to 1. This makes SSL/TLS a requirement for connections to your DB cluster.

For more information, see Securing Aurora PostgreSQL data with SSL/TLS.

Review the SSL connection

To review the SSL connection, run this command:

postgres=> select ssl_is_used(); ssl_is_used
-------------
 t
(1 row)

postgres=> select ssl_cipher();
         ssl_cipher
-----------------------------
 ECDHE-RSA-AES128-GCM-SHA256
(1 row)

Note: Amazon RDS instance SSL is one-way SSL. This means that the client can verify the identity of the server.

AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago
2 Comments

What is the standard approach for

  1. getting updates on RDS certificate changes?
  2. downloading the RDS CA certificate on certificate updates?
  3. is SSL 1-way or 2-way? what is the recommendation?
Vaibhav
replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 9 months ago