iCompaas Support

Profile Applicability: 

• Level 1

Description:
 Encryption in transit ensures that data remains confidential and protected as it travels from one location to another within the AWS environment. By enabling SSL/TLS, you prevent unauthorized interception and manipulation of data during transmission.

Rationale:
 Data transmitted without encryption can be intercepted and read by malicious actors. Enabling SSL/TLS ensures data confidentiality and integrity in transit between clients and the database service.

Impact:
 If the data is intercepted during transmission, it will be unreadable without the decryption key. However, misconfigurations could lead to failed connections from clients not configured to use SSL/TLS.

Default Value:
 By default, some AWS services (like DynamoDB) enable encryption in transit. However, for services like RDS or Aurora, the client must be explicitly configured to use SSL/TLS.

Pre-requisites:

• Access to the AWS Console or CLI

• Administrative privileges for modifying database configurations
  

• SSL/TLS certificates (if not using default AWS certificates)
  

Remediation

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to the database service console (e.g., RDS, DynamoDB, DocumentDB, Neptune)
   

3. Select your database instance or cluster
   

4. Check under the Encryption in Transit or Connectivity section
   

5. Verify that SSL/TLS is enabled
   

Using AWS CLI:

1. Run the following command for RDS:

   aws rds describe-db-instances --query "DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,SSLSupport:EnabledCloudwatchLogsExports}"

   
   

2. For Neptune:
   

    aws neptune describe-db-clusters

   
   

3. Check for SSL/TLS configuration fields in the output
   

Implementation Plan

Using AWS Console:

1. Open the relevant database console (e.g., RDS, Neptune)
   

2. Select the DB instance or cluster
   

3. Click Modify
   

4. Under Connectivity or Encryption in Transit, enable SSL/TLS
   

5. Choose or upload the SSL certificate if needed
   

6. Click Continue or Apply Changes
   

Using AWS CLI:

1. Modify RDS instance (example):
   

    aws rds modify-db-instance --db-instance-identifier <instance-id> --ca-certificate-identifier rds-ca-2019 --apply-immediately

   
   

2. Modify Neptune cluster:
   

    aws neptune modify-db-cluster --db-cluster-identifier <cluster-id> --enable-iam-database-authentication --apply-immediately

   
   

Backout Plan

Using AWS Console:

1. Go to the DB instance
   

2. Click Modify
   

3. Uncheck the Enable SSL/TLS option (if allowed)
   

4. Save changes
   

Using AWS CLI:

1. For RDS:
   

    aws rds modify-db-instance --db-instance-identifier <instance-id> --no-enable-iam-database-authentication --apply-immediately

   
   

2. For Neptune:
   

   aws neptune modify-db-cluster --db-cluster-identifier <cluster-id> --disable-iam-database-authentication --apply-immediately

   
   

References:

1. AWS Database Encryption in Transit
   

2. CIS Controls v8 – Control 3.10: Encrypt Sensitive Data in Transit
   

3. CIS Benchmark Document