iCompaas Support

Profile Applicability:

• Level 2

Description:

Amazon RDS (Relational Database Service) supports SSL/TLS encryption to secure data in transit between RDS instances and clients. SSL/TLS certificates are used to encrypt the communication between the client application and the RDS instance, ensuring that sensitive data is transmitted securely. These certificates, however, have expiration dates.

To maintain the security of the data in transit, it is essential to regularly check and ensure that the SSL/TLS certificates configured for Amazon RDS are not expired. If expired certificates are used, clients may face connection issues, and the communication may not be secure, potentially leading to data breaches.

Rationale:

• Security: Expired certificates leave communications vulnerable to interception and unauthorized access, potentially leading to data breaches.

• Compliance: Many compliance frameworks (e.g., PCI-DSS, SOC 2, HIPAA) require that all communications involving sensitive data be encrypted using valid SSL/TLS certificates.

• Operational Continuity: Expired certificates can cause disruptions in service as clients may be unable to establish secure connections to RDS instances, leading to application downtime.

Impact:

Pros:

• Enhanced Security: Ensuring certificates are up-to-date guarantees secure, encrypted connections for sensitive data.

• Operational Stability: Prevents disruptions in service by ensuring clients can continue to connect securely without certificate validation issues.

• Compliance: Helps meet regulatory requirements for secure communication.

Cons:

• Monitoring and Maintenance: Regular checks and updates to certificates require ongoing maintenance.

• Risk of Service Disruption: If certificates are not renewed on time, clients may experience connection issues, leading to downtime.

Default Value:

Amazon RDS uses default SSL/TLS certificates that have a defined expiration date. By default, RDS will continue to work with expired certificates unless manually updated. Therefore, it is important to proactively check for certificate expiration.

Pre-requisite:

• AWS IAM Permissions:

  • rds:DescribeDBInstances

  • rds:DescribeDBCertificates

• AWS CLI installed and configured.

• Knowledge of the RDS instance and its SSL/TLS certificate configuration.

• Notification system in place to alert about certificate expiration.

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon RDS under Services.

3. In the RDS Dashboard, go to Databases and select the RDS instance whose SSL/TLS certificate you want to check.

4. Under the Connectivity & Security tab, find the SSL/TLS certificate section.

5. Check the Certificate Authority (CA) and the expiration date of the certificate.

6. If the certificate is expired or nearing expiration, ensure to update it by following the renewal procedure in the next steps.

Using AWS CLI:

1. To check the SSL/TLS certificate details of an RDS instance, run:
   

   aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier, CertificateDetails]'

2. Review the output for the expiration date of the SSL/TLS certificates. If expired, initiate renewal.

3. To view the list of available SSL certificates, run:
   

   aws rds describe-db-certificates --query 'CertificateSummaryList[*].[CertificateIdentifier, Expiration]'

Implementation Steps:

Using AWS Console:

1. Log in to the AWS Management Console and navigate to Amazon RDS.

2. Select the RDS instance that you want to check.

3. Go to the Connectivity & Security tab and check the SSL/TLS certificate expiration.

4. If the certificate is expired or nearing expiration, follow the steps to rotate the SSL/TLS certificate. You may need to install a new certificate or update the current one:

   • Download the latest root certificate from Amazon RDS documentation.

   • Update the certificate on the RDS instance by following the certificate rotation process.

Using AWS CLI:

1. Verify the expiration date of the SSL/TLS certificate using:
   

   aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier, CertificateDetails]'

2. If expired, initiate the SSL certificate renewal for the RDS instance:
   

   aws rds modify-db-instance --db-instance-identifier <instance-id> --certificate-identifier <new-certificate-id> --apply-immediately

3. Verify that the update has been applied and that the RDS instance is using the new certificate.

Backout Plan:

Using AWS Console:

1. If updating the certificate causes issues, sign in to the AWS Management Console.

2. Navigate to Amazon RDS, select the DB instance, and click Modify.

3. If necessary, revert to a previous certificate or disable certificate rotation until further investigation is done.

4. Save the changes and monitor the instance to ensure that secure connections are restored.

Using AWS CLI:

1. To revert the certificate update, run the following command:
   

   aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --certificate-rotation-restart --apply-immediately

2. Verify that the certificate update is successfully reverted and that the RDS instance is working correctly:
   

   aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID>

References:

• Amazon RDS Documentation: Using SSL to Connect to a DB Instance

• Amazon RDS Documentation: Managing SSL/TLS Certificate Expiration and Rotation

• AWS CLI: describe-db-instances

• AWS CLI: describe-db-certificates

CIS Controls Mapping: