How do I enforce encryption in transit with AWS RDS Oracle using CloudFormation YAML?

Question

How do I enable and enforce / mandate encryption in transit for AWS RDS Oracle instances, when setting up the RDS database using CloudFormation YAML.

Answer 1

The following works for Oracle 19 SE2. I've modified a few values from referenced and imported values, so a couple of tweaks may be needed to get it fully working. Ensure users and passwords are properly set.

Applicable documentation can be found here, CloudFormation documentation here. How to connect to the database can be found here.

OracleDatabaseSG:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Oracle Database security group
    GroupName: OracleDatabaseSG
    VpcId: 
      vpc-123456
    SecurityGroupIngress: 
      - IpProtocol: tcp
        FromPort: 2484
        ToPort: 2484
        CidrIp: 192.168.0.0/24
        Description: Allow encrypted ingress only
  SecurityGroupEgress:
    - CidrIp: 127.0.0.1/32
      IpProtocol: icmpv6
      Description: Effectively block egress
  Tags: 
    - Key: Name
      Value: OracleDatabaseSG


OracleRDSOptionGroup:
  Type: AWS::RDS::OptionGroup
  Properties: 
    OptionGroupDescription: oracle-19-options-group
    EngineName: oracle-se2
    MajorEngineVersion: 19.0.0.0.ru-2020-01.rur-2020-01.r1
    OptionConfigurations:
      - 
        OptionName: APEX
        OptionVersion: 19.1.v1
      -
        OptionName: APEX-DEV
      -
        OptionName: SSL
        VpcSecurityGroupMemberships:
          - OracleDatabaseSG
        Port: 2484
        OptionSettings:
          -
            Name: SQLNET.SSL_VERSION
            Value: 1.2

OracleRDSDatabaseServer:
    Type: 'AWS::RDS::DBInstance'
    Properties:
        DBInstanceIdentifier: RDS-Oracle
        DBName: oracle
        DBInstanceClass: db.t3.small
        DBSubnetGroupName: Subnet-Group-Name
        LicenseModel: license-included
        StorageType: gp2
        AllocatedStorage: 10
        MaxAllocatedStorage: 50
        Engine: oracle-se2
        EngineVersion: 19.0.0.0.ru-2020-01.rur-2020-01.r1         
        MasterUsername: USERNAME
        MasterUserPassword: PASSWORD
        AvailabilityZone: us-east-1a
        StorageEncrypted: true
        MultiAZ: false
        PubliclyAccessible: false
        AllowMajorVersionUpgrade: false
        AutoMinorVersionUpgrade: true
        DeleteAutomatedBackups: true
        EnablePerformanceInsights: true
        PerformanceInsightsRetentionPeriod: 7
        OptionGroupName: OracleRDSOptionGroup
        VPCSecurityGroups:
            - OracleDatabaseSG
        Tags: 
            - Key: Name
              Value: OracleDB