0

Need to encrypt data in transit from application severs to RDS SQL server with SSL/TLS?

I see aws gives the option to make force encryption = true in parameter group with self signed certs.

Is there a way to use customer certs to import into RDS?

Any configuration steps to do this at application server and on RDS?

Appreciate any info on this . Didn't find anything in AWS knowledge base. Note: Application servers sit behind load balancer.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
CharlesDeeZee
  • 689
  • 1
  • 8
  • 20

1 Answers1

1

For RDS SQL Server you will need to use the PEM that AWS provides for TLS.

You have a choice of either:

The application server will need to have access to this certificate before it can connect to the RDS instance.

Unfortunately at this time only Aurora supports uploading your own certificates (and then accessing via ACM), you will need to use the provided one.

For connecting and configuring the RDS there is a specific Using SSL with a Microsoft SQL Server DB Instance page.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • 1
    I will try this. Appreciate your response @Chris. Cheers! – CharlesDeeZee Aug 23 '20 at 13:30
  • No problem, let me know if you need any additional pointers :) – Chris Williams Aug 23 '20 at 13:32
  • ..i have enabled force_ssl param =true in parameter group. I think this uses root ca by default. Like to know what version of TLS is this ? i am looking TLS 1.2 version. There is no version mentioned in AWS document . Also, what is this parameter CACertificateIdentifier in RDS resource creation. Is it required if we have force_ssl in parameter group ? – CharlesDeeZee Aug 25 '20 at 07:00
  • Having `force_ssl` will reject any connections over plain text, regarding TLS version I too cannot see anywhere the versions supported there are values in parameter group of `rds.tls10`, `rds.tls11` and `rds.tls12`. They support a value of `default, enabled, disabled` – Chris Williams Aug 25 '20 at 07:23
  • Yeah. Regarding versions will check with AWS. Cheers! – CharlesDeeZee Aug 25 '20 at 08:47