- Newest
- Most votes
- Most comments
For a Lambda, you should consider using an IAM role to allow access rather than Certificate. The certificate is better suited for clients.
Certificates in lambda for mtls usually can be configured using lambda layers. Trust stores could be added to lambda layers in similar approach. Please refer to this sample if its useful for your case - https://github.com/aws-samples/serverless-mutual-tls/blob/main/README.md
This explains the fundamental of SSL handshake. But the requirement here is how does client application be aware of RDS certificate has changed? how does client application download the server CA certificate programmatically.
AHA dashboard should be able to provide the scheduled account notifications w.r.t RDS cert rotation. A workaround could be to build automation around AHA notifications and subscribe for these events as mentioned in blog post architecture - https://aws.amazon.com/blogs/mt/aws-health-aware-customize-aws-health-alerts-for-organizational-and-personal-aws-accounts/ Once a Lambda is able to process the cert rotation operation from above architecture, downloading the new CA cert and updating the client application trust store could be done programmatically as provided in docs - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html#UsingWithRDS.SSL-certificate-rotation-sample-script Hope it helps.
Relevant content
- asked 8 months ago
- asked 5 years ago
- Accepted Answerasked 5 years ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
IAM role will not encrypt data in transit. We have a security requirement to enable SSL to secure data in transit therefore looking for an appropriate answer.