- 最新
- 投票最多
- 评论最多
For a Lambda, you should consider using an IAM role to allow access rather than Certificate. The certificate is better suited for clients.
Certificates in lambda for mtls usually can be configured using lambda layers. Trust stores could be added to lambda layers in similar approach. Please refer to this sample if its useful for your case - https://github.com/aws-samples/serverless-mutual-tls/blob/main/README.md
This explains the fundamental of SSL handshake. But the requirement here is how does client application be aware of RDS certificate has changed? how does client application download the server CA certificate programmatically.
AHA dashboard should be able to provide the scheduled account notifications w.r.t RDS cert rotation. A workaround could be to build automation around AHA notifications and subscribe for these events as mentioned in blog post architecture - https://aws.amazon.com/blogs/mt/aws-health-aware-customize-aws-health-alerts-for-organizational-and-personal-aws-accounts/ Once a Lambda is able to process the cert rotation operation from above architecture, downloading the new CA cert and updating the client application trust store could be done programmatically as provided in docs - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html#UsingWithRDS.SSL-certificate-rotation-sample-script Hope it helps.
相关内容
AWS 官方已更新 2 年前- AWS 官方已更新 3 年前
- AWS 官方已更新 1 年前
IAM role will not encrypt data in transit. We have a security requirement to enable SSL to secure data in transit therefore looking for an appropriate answer.