iCompaas Support

Profile Applicability:

• Level 2

Description:

Amazon RDS allows database instances to enforce SSL/TLS encryption for all client connections, ensuring that data in transit between the database instance and the client is encrypted. Enabling SSL/TLS encryption helps secure sensitive information by preventing unauthorized access or tampering during transmission. This is especially important for database engines like Microsoft SQL Server, PostgreSQL, MySQL, MariaDB, Aurora PostgreSQL, and Aurora MySQL.

This SOP ensures that RDS instances for the specified database engines enforce SSL/TLS encryption, providing secure communication between the database and the client.

Rationale:

• Data Protection: SSL/TLS encryption ensures that data sent between the client and the database is protected from eavesdropping and man-in-the-middle attacks.

• Regulatory Compliance: Many regulatory frameworks (such as PCI-DSS, HIPAA, and SOC 2) require encryption of data in transit to ensure that sensitive information is protected during communication.

• Security Best Practice: Enforcing SSL/TLS encryption helps to comply with security best practices for database communications.

Impact:

Pros:

• Improved Security: Encrypts client-server communication, ensuring that sensitive data is protected in transit.

• Compliance: Helps meet compliance requirements that mandate encryption of sensitive data, such as PCI-DSS, HIPAA, and SOC 2.

• Reduced Risk: Prevents interception and tampering of data while in transit, mitigating the risk of data breaches and unauthorized access.

Cons:

• Performance Overhead: SSL/TLS encryption can introduce slight latency due to the encryption and decryption processes, especially in high-throughput applications.

• Configuration Complexity: Setting up and ensuring that all clients use SSL/TLS can require additional configuration on both the server and client sides.

Default Value:

By default, SSL/TLS encryption is not enforced for client connections in RDS instances. This feature must be explicitly configured during instance creation or by modifying the instance settings.

Pre-requisite:

• AWS IAM Permissions:

  • rds:DescribeDBInstances

  • rds:ModifyDBInstance

  • rds:CreateDBInstance

• AWS CLI installed and configured.

• Ensure that SSL certificates are enabled and distributed for RDS instances to allow secure connections.

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon RDS under Services.

3. In the RDS Dashboard, go to Databases and select the RDS instance for which you want to check SSL/TLS encryption.

4. In the Configuration tab, check the SSL setting under Connectivity & Security:

   • If SSL/TLS encryption is enabled, it will be reflected as enabled.

   • If SSL/TLS encryption is not enabled, modifications are required.

5. If SSL/TLS encryption is not enabled, click Modify, and under the Security section, ensure that SSL is enforced for client connections.

6. Save the changes and verify that the RDS instance is now configured to enforce SSL/TLS encryption for client connections.

Using AWS CLI:

1. To check if SSL/TLS encryption is enabled for an RDS instance, run:
   

   aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,StorageEncrypted:StorageEncrypted}'

2. Check the output to ensure StorageEncrypted is true, which indicates encryption is enabled. Note that SSL/TLS encryption for connections is a related but distinct setting, so additional configuration might be needed to enforce SSL for client connections.
   

3. To enable SSL/TLS encryption, modify the instance to ensure it is configured for secure connections. For instance:
   

   aws rds modify-db-instance --db-instance-identifier <instance-id> --enable-iam-database-authentication --apply-immediately

4. Verify the changes:
   

   aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,StorageEncrypted:StorageEncrypted}'

Implementation Steps:

Using AWS Console:

1. Log in to the AWS Management Console and navigate to Amazon RDS.

2. In the RDS Dashboard, select Databases and choose the RDS instance for which you want to enable SSL/TLS encryption.

3. Click Modify.

4. In the Security section, enable the SSL/TLS encryption option.

5. Click Continue, then Apply Changes to save the settings.

6. Ensure all clients are updated to use SSL/TLS when connecting to the RDS instance.

Using AWS CLI:

1. To modify the RDS instance to enforce SSL, use the following CLI command:
   

   aws rds modify-db-instance --db-instance-identifier <instance-id> --enable-iam-database-authentication --apply-immediately

2. Verify the configuration by running:
   

   aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,StorageEncrypted:StorageEncrypted}'

Backout Plan:

Using AWS Console:

1. If enforcing SSL/TLS encryption causes issues, sign in to the AWS Management Console.

2. Navigate to Amazon RDS, select the DB instance, and click Modify.

3. Disable SSL enforcement by setting the rds.force_ssl parameter back to 0 or modifying the connection settings as needed.

4. Save the changes and verify that SSL/TLS encryption has been disabled for client connections.

Using AWS CLI:

1. To disable SSL/TLS encryption, run the following command:
   

   aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --no-apply-immediately --no-publicly-accessible

2. Verify that SSL/TLS encryption has been disabled by checking client connections for the use of SSL/TLS encryption.

References:

• Amazon RDS Documentation: Enabling SSL for MySQL, PostgreSQL, MariaDB, and SQL Server

• AWS CLI: modify-db-instance

• AWS CLI: describe-db-instances

CIS Controls Mapping: