iCompaas Support

Profile Applicability:
 Level 1

Description:
 Encryption in transit ensures that data being transferred between Amazon Aurora instances and clients is securely encrypted, preventing unauthorized access during transit. Enabling this feature guarantees that sensitive data, such as passwords and queries, cannot be intercepted during transmission between the database and applications.

Rationale:
 Encrypting data in transit is essential for maintaining confidentiality and integrity. It helps protect data from being intercepted by unauthorized parties, particularly in a shared or insecure network. This is particularly important for regulatory compliance (e.g., HIPAA, PCI-DSS, GDPR), where data encryption is often mandated for sensitive information.

Impact:
 Without encryption in transit, data traveling over the network is susceptible to man-in-the-middle attacks, where an attacker can intercept or alter the data. This could lead to data breaches, loss of sensitive information, or other security incidents. Enabling encryption ensures that communications are secure, reducing the risk of data leakage or tampering.

Default Value:
 By default, Amazon Aurora supports encryption in transit using SSL/TLS. However, this feature must be explicitly enabled, and the client connections should be configured to use SSL/TLS encryption.

Pre-requisites:

• An AWS account with administrative access to configure Aurora instances.
  

• Knowledge of SSL/TLS certificates and how to enable them on client connections.
  

• The client applications must be configured to support SSL/TLS connections.
  

Remediation

Test Plan:

Using AWS Console:

1. Navigate to RDS > Databases, select your Aurora instance, and click Modify.
   

2. Ensure that SSL/TLS encryption is enabled under Security settings.
   

3. Verify that the SSL certificate is set up correctly for the Aurora instance.
   

4. Review the Connection settings to ensure that clients are instructed to use SSL for encrypted connections.
   

5. Check CloudWatch Logs or other monitoring tools to confirm that encrypted connections are being established.
   

Using AWS CLI:

1. Run the following command to check if SSL/TLS encryption is enabled for the Aurora instance:
   

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, SslConfigured:SSLConfiguration}"

2. Verify the SSL certificate used for the Aurora instance:
   

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, Certificate:Certificate}"

3. Check if the SSL parameter group is applied:
   

   aws rds describe-db-parameters --db-parameter-group-name <parameter-group-name> --query "Parameters[?ParameterName=='rds.force_ssl']"

Implementation Plan

Using AWS Console:

1. Navigate to RDS > Databases, select the Aurora instance, and click Modify.
   

2. Under Security, enable SSL/TLS encryption by selecting the relevant option.
   

3. Apply the changes and ensure that SSL/TLS encryption is enabled for all client connections to the Aurora instance.
   

4. Download the SSL certificate from the RDS console to distribute to the client applications.
   

5. Ensure that the client applications are configured to use SSL for connections to the database by specifying the SSL certificate and forcing encrypted connections.
   

Using AWS CLI:

1. Enable SSL/TLS encryption for the Aurora instance: 

   aws rds modify-db-instance --db-instance-identifier <db-instance-id> --enable-ssl --apply-immediately

2. Apply an SSL parameter group to enforce SSL connections:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --db-parameter-group-name <ssl-parameter-group-name> --apply-immediately

3. Distribute the SSL certificate to client applications for encrypted connections:
   

    aws rds download-db-certificate --db-instance-identifier <db-instance-id> --output <output-path>

Backout Plan

Using AWS Console:

1. In RDS > Databases, select the Aurora instance, and click Modify.
   

2. Disable SSL/TLS encryption under the Security settings.
   

3. Remove the SSL certificate configuration from the client applications.
   

4. Apply the changes and confirm that SSL is no longer required for client connections.
   

Using AWS CLI:

1. Disable SSL/TLS encryption:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --no-enable-ssl --apply-immediately

2. Revert to the previous parameter group configuration without SSL enforcement:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --db-parameter-group-name <old-parameter-group-name> --apply-immediately

3. Remove the SSL certificate from the client applications.

References:

• Amazon RDS
  

• IAM database authentication for MariaDB, MySQL, and PostgreSQL