iCompaas Support

Profile Applicability:

• Level 1

Description:
 Enabling encryption in transit ensures that data sent between clients and AWS-managed database services is encrypted using SSL/TLS protocols. This protects the confidentiality and integrity of data from interception and tampering.

Rationale:
 Unencrypted data in transit is vulnerable to network-based attacks such as man-in-the-middle (MITM) and packet sniffing. Using encryption in transit ensures that even if network traffic is intercepted, the data remains unintelligible.

Impact:
 Pros:

• Prevents unauthorized data access during transmission
  

• Complies with data protection regulations (e.g., HIPAA, GDPR)
  

• Supported by most AWS database engines (e.g., RDS, DocumentDB, ElastiCache)
  

Cons:

• Slight increase in connection latency
  

• Requires SSL/TLS support in client applications
  

• May require database parameter updates
  

Default Value:
 Encryption in transit is available but not enforced by default in many AWS database services.

Pre-requisites:

• SSL/TLS-capable database clients
  

• Database parameter groups (if required)
  

• Proper CA certificates available for client validation
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to the target database service (e.g., Amazon RDS, DocumentDB)
   

3. Select the database instance
   

4. Under the Connectivity & security or Configuration tab, check for SSL support
   

5. Review if parameter groups enforce SSL (e.g., rds.force_ssl = 1 for PostgreSQL)
   

Using AWS CLI:

1. Verify SSL support on a database instance:
   

   aws rds describe-db-instances --db-instance-identifier <your-db-instance-id> --query "DBInstances[*].Endpoint.Address"

2. Connect using openssl to verify SSL is supported:
   

    openssl s_client -connect <endpoint>:3306

3. Check parameter value to enforce SSL:
   

   aws rds describe-db-parameters --db-parameter-group-name <your-db-parameter-group> --query "Parameters[?ParameterName=='rds.force_ssl'].{Name:ParameterName,Value:ParameterValue}

Implementation Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to Amazon RDS > Parameter Groups
   

3. Select the parameter group used by the target DB instance
   

4. Edit the parameter rds.force_ssl and set its value to 1
   

5. Save changes
   

6. Apply the parameter group to the DB instance if not already associated
   

7. Modify application connection strings to use SSL mode (sslmode=require)
   

Using AWS CLI:

1. Modify the DB parameter group to enable forced SSL:
   

    aws rds modify-db-parameter-group --db-parameter-group-name <your-db-parameter-group> --parameters "ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=immediate"

2. Reboot the DB instance if required for parameter change to take effect:
   

    aws rds reboot-db-instance --db-instance-identifier <your-db-instance-id>

3. Update your client configuration to use SSL connection strings (e.g., sslmode=require)

Backout Plan

Using AWS Console:

1. Navigate to Amazon RDS > Parameter Groups
   

2. Edit the parameter group
   

3. Set rds.force_ssl to 0
   

4. Save and apply the changes to the database instance
   

5. Remove SSL enforcement from client applications
   

Using AWS CLI:

1. Disable forced SSL on the parameter group:
   

   aws rds modify-db-parameter-group --db-parameter-group-name <your-db-parameter-group> --parameters "ParameterName=rds.force_ssl,ParameterValue=0,ApplyMethod=immediate"

2. Reboot the DB instance if required:
   

    aws rds reboot-db-instance --db-instance-identifier <your-db-instance-id>

References:

• AmazonRDS

• Encrypting data in transit