RDS Aurora PG Serverless v2 - Security

Question

Few questions wrt RDS Aurora PG serverless v2 security:
1) is it possible to import a custom certificate for SSL encryption?
2) Does certificate rotation in the RDS cluster happens automatically without impacting incoming traffic?
3) how to programmatically manage certificate rotation on the client side without impacting traffic, such as getting a new AWS CA certificate, updating the client's trust store with the new CA.
4) is it possible to establish 2-way SSL b/w Lambda and RDS PG serverless? If yes, then how will RDS updates the client's CA certificate in its truststore. Does it happen without impacting incoming traffic?

Answer

1. is it possible to import a custom certificate for SSL encryption?

No, however, RDS and Aurora now has new [certificate authorities](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html) with 40 year and 100 year validity.

2. Does certificate rotation in the RDS cluster happens automatically without impacting incoming traffic?

The certificate bundle contains certificates for both the old and new CA, so you can upgrade your application safely and maintain connectivity during the transition period. details [here](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html)

3. how to programmatically manage certificate rotation on the client side without impacting traffic, such as getting a new AWS CA certificate, updating the client's trust store with the new CA.

refer to [this](https://aws.amazon.com/blogs/database/amazon-rds-customers-update-your-ssl-tls-certificates-by-february-5-2020/) for details

RDS Aurora PG Serverless v2 - Security

Relevant content