2

I received an email from AWS, which looks as follows:
https://i.stack.imgur.com/BP9Zp.png

This part is the most noteworthy:

If your applications connect to those instances using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol please follow the detailed instructions in the link below to complete your update(s). If not completed, your applications will fail to connect to your DB instances using SSL/TLS after March 5, 2020.

I'm a little confused on what I need to do, and wanted to see if anyone else got this email, and/or what the recommended steps are.

I connect to our database in two ways:
- Via Sequel Pro, I ssh into our EC2 instance, and from there, connect to our RDS instance
- Via our app, I use PHP to connect to a MySQ database using the new mysqli syntax.

I don't believe either of those cases count towards what I quoted above. But I also don't fully understand it.

Would appreciate any feedback from anyone who's in the same situation.
Thanks!

onassar
  • 3,313
  • 7
  • 36
  • 58

2 Answers2

2

This is an open announcement from AWS, one of the RDS certificate (rds-ca-2015) that uses against RDS is going to expire.

I'm a little confused on what I need to do and wanted to see if anyone else got this email, and/or what the recommended steps are.

  • First, verify the SSL certificate against your RDS
  • RDS -> cluster -> DB instance -> Connetivy & Secuirty
  • Check value of Certificate authority (If this rds-ca-2015) then you need to upgrade your SSL, as it going to expire Mar 6th, 2020

enter image description here

All you need update the SSL,

RDS -> cluster -> Select -> modify -> Certificate authorityem

enter image description here

Important

This operation reboots your DB instance.

I don't believe either of those cases count towards what I quoted above. But I also don't fully understand it.

You verify this thing at your end, but better to upgrade to latest TLS for the sake of security, normally the connection is not TLS encrypted with RDS.

As per Sequel Pro

Standard Connection

A standard connection is an unencrypted connection using TCP/IP. Such a connection is usually made over the network or over the internet to a remote server.

But again I will recommend upgrading to the latest SSL.

Adiii
  • 54,482
  • 7
  • 145
  • 148
  • AWS help says to 1st Download the new SSL/TLS certificate, 2nd to Update your database applications to use the new SSL/TLS certificate. and only then to: Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019. what about the first 2 stages? I didnt understand them :-(. In addition - do we need to do any of the above if using a VPC? Thanks – dowi Oct 15 '19 at 08:49
  • you do not need to download, follow the steps that I mentioned you will see new certificate in RDS instance. it not specific to VPC, it related to all RDS if the certificate is old – Adiii Oct 15 '19 at 08:54
  • Thanks for writing this @Adiii I really appreciate it, but I'm still mainly concerned on whether this is a requirement, given that I don't fully understand how I'm connecting to the RDS instance. The reason I'm asking is because it says that a full restart is required. And I don't want to restart my production database if I don't need to. Do you have any insight on that? – onassar Oct 15 '19 at 13:06
  • we are also worried about the reboot, but the question is reboot is better than a security risk. A planned downtime is better than unplanned downtime. if you are not sure about your application that either it TLS or not then can use wireshark to verify the packets or connection string or option – Adiii Oct 15 '19 at 14:45
  • @Adiii does that mean that if I am connection via unencrypted connection to my RDS instances (never forced ssl using Postgre), I would just need to update from the dropdown to use `rds-ca-2019` and that's it? – SteD Oct 17 '19 at 02:32
1

AWS strongly recommends anyone using SSL/TLS (and checking certificates) with RDS/Aurora/DocumentDB update their applications’ and services' CA certificates with the bundle that has both the old and the new 2019 certificates by February 5. At that time, AWS will begin staging the new CA certificate on the database instances. The database instances do not support more than one certificate at a time. This means that any DB instance restart after the certificate is staged, either planned or unplanned will invoke the new certificate on the RDS/Aurora/DocumentDB instance. As a result, applications and services using SSL/TLS (and checking certificates) that have not taken action to update with the new certificate bundle will NOT be able to connect to the DB instance. Good info here: https://aws.amazon.com/blogs/aws/urgent-important-rotate-your-amazon-rds-aurora-and-documentdb-certificates/

Mark Mulligan
  • 11
  • 2