iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that Amazon RDS instances enforce encrypted client connections (SSL/TLS) for supported database engines such as Microsoft SQL Server, PostgreSQL, MySQL, MariaDB, Aurora PostgreSQL, and Aurora MySQL. Enforcing encrypted connections ensures that data transmitted between the database client and the database instance is secure, preventing eavesdropping, tampering, or man-in-the-middle attacks.

Rationale:
Encrypting client connections helps protect sensitive data in transit between applications and databases. Without encryption, attackers could intercept traffic containing credentials or confidential data. Enabling SSL/TLS ensures that all connections are encrypted using strong cryptographic protocols, meeting best practices and compliance requirements under frameworks such as SOC 2, ISO 27001, PCI DSS, and CIS Benchmarks.

Impact:
Positive Impact:

• Protects sensitive information such as credentials and data from interception.

• Meets compliance requirements for data security and encryption.

• Reduces the risk of man-in-the-middle and data leakage attacks.
  Negative Impact:

• Requires client-side configuration updates to enforce SSL connections.

• May slightly increase latency due to encryption overhead.
  
  

Default Value:
By default, SSL/TLS is available but not enforced on RDS instances. Clients can connect using either encrypted or unencrypted connections unless explicitly restricted via parameter settings or database configurations.

Pre-Requisite:

• IAM permissions required: rds:DescribeDBInstances, rds:ModifyDBParameterGroup, rds:DescribeDBParameterGroups, and rds:RebootDBInstance.

• SSL certificate bundle must be installed on the client side for validation.

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon RDS → Databases.

3. Select a database instance.

4. Under the Connectivity & security tab, note the DB parameter group associated with the instance.

5. Navigate to Parameter groups in the RDS console.

6. Open the parameter group associated with the instance.

7. Verify the following parameters are set correctly for the respective database engines:

   • PostgreSQL / Aurora PostgreSQL: rds.force_ssl = 1

   • MySQL / Aurora MySQL: require_secure_transport = ON

   • MariaDB: require_secure_transport = ON

   • Microsoft SQL Server: SSL is enabled by default; ensure the rds.force_ssl equivalent setting is active.

8. For connections, verify using your client that the SSL mode is enforced (e.g., psql, mysql, SQL Server Management Studio).
   
   

Implementation Plan
Using AWS Console:

1. Navigate to Amazon RDS → Parameter groups.

2. Locate the parameter group associated with the database instance.

3. Select Edit parameters.

4. For the corresponding engine type, set the following:

   • PostgreSQL / Aurora PostgreSQL: Set rds.force_ssl to 1.

   • MySQL / Aurora MySQL / MariaDB: Set require_secure_transport to ON.

5. Save the parameter group changes.

6. Navigate to Amazon RDS → Databases and select your instance.

7. Under Configuration, confirm that the updated parameter group is applied.

8. Reboot the instance for changes to take effect
   
   

Backout Plan:

1. If application connectivity issues occur after enabling SSL enforcement, revert the parameter group settings to their previous state:

   • PostgreSQL: rds.force_ssl = 0

   • MySQL / MariaDB / Aurora MySQL: require_secure_transport = OFF

2. Reboot the RDS instance to apply the changes.

3. Investigate client library compatibility with SSL before reapplying enforcement.
   
   

References:

• Amazon RDS Security Documentation

• AWS Database Security Best Practices

• CIS AWS Foundations Benchmark v2.0.0 – Control 3.31

• AWS RDS Parameter Groups