Ensure that RDS database instance enforces SSL/TLS for all connections

Enforcing all connections to RDS database instance to use SSL/TLS provides additional layer of security by encrypting data in transit.

Suggest Edits

Risk Level: High
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.AWS.CRY.69
Covered by Spectral: Yes
Category: Database

GSL LOGIC

RDS where dbClusterName isEmpty() and not dbType like '%oracle%' should have parameterGroups contain [ parameters contain [ (parameterName='require_secure_transport' and parameterValue='1') or (parameterName='rds.force_ssl' and parameterValue='1') ] ]

REMEDIATION

Note: Oracle databases and databases that are configured under cluster are excluded from this check.

From Portal

  1. In AWS management console, go to RDS
  2. In the left pane, choose 'Parameter groups' and select the parameter group associated with the RDS database instance
  3. For MySQL/MariaDB, search the 'require_secure_transport' parameter
  4. For Microsoft SQL Server/PostgreSQL, search the 'rds.force_ssl' parameter
  5. Set its value to '1'
  6. Save

From TF
For MySQL/MariaDB, set the 'require_secure_transport' parameter within the 'aws_db_parameter_group' resource to '1':

resource "aws_db_parameter_group" "db_parameter_group_example" {
	..
	parameter {
		name  = "require_secure_transport"
		value = "1"
	}
	..
}

For Microsoft SQL Server/PostgreSQL, set the 'rds.force_ssl' parameter within the 'aws_db_parameter_group' resource to '1':

resource "aws_db_parameter_group" "db_parameter_group_example" {
	..
	parameter {
		name  = "rds.force_ssl"
		value = "1"
	}
	..
}

From Command Line
To set the 'require_secure_transport' parameter for MySQL/MariaDB, use:

aws rds modify-db-parameter-group --db-parameter-group-name DB-PARAMETER-GROUP-NAME --parameters "ParameterName='require_secure_transport',ParameterValue=1,ApplyMethod=pending-reboot"

To set the 'rds.force_ssl' parameter for Microsoft SQL Server/PostgreSQL, use:

aws rds modify-db-parameter-group --db-parameter-group-name DB-PARAMETER-GROUP-NAME --parameters "ParameterName='rds.force_ssl',ParameterValue=1,ApplyMethod=pending-reboot"

References

  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithDBInstanceParamGroups.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group
  3. https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-parameter-group.html

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset

Updated 7 months ago