RDS Security Certificates

Question

I recently started replacing MySQL instances that I manage myself on virtual machines with RDS databases, on the perceived promise that they would be easier to manage and maintain.

This month I got an urgent, lengthy message from Amazon about replacing security certificates. I was surprised by this. I thought RDS was a service that Amazon maintains for me, rather than something where I need to manage details at this level.

In any case, I figured out how to update the security certificate but now it says my database's certificate expires in 2025. Do I have to do this every year? I never had to do such a thing with my own MySQL instances.

Another point of confusion for me is that Amazon constantly refers to "client certificates" and certificate authorities. I have never installed a client certificate or altered any root certificates on any of my clients. My clients are all Java applications running on Amazon EC2 instances, which I keep up to date, and so far they still work. Are client certificates something I need to worry about?

Excuse my ignorance, security was never one of my areas of expertise, but in today's economic enviromnet my company cannot afford a dedicated security expert.

Thanks,
Frank

Answer

Hello.

The problem can be resolved by changing RDS to a CA certificate with a longer validity period, as described in the document below.  
https://aws.amazon.com/jp/blogs/aws/rotate-your-ssl-tls-certificates-now-amazon-rds-and-amazon-aurora-expire-in-2024/  
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

The client certificate to be introduced into the application is described in the following document.  
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

Also, if you are not using SSL communication between RDS and the application, I don't think you need to worry too much.

RDS Security Certificates

Relevant content