To encrypt a connection to a MySQL, Oracle, MariaDB, Microsoft SQL Server, or PostgreSQL instance, your application can employ Secure Socket Layer (SSL) or Transport Layer Security (TLS).
Data transferred between your client and the database instance is encrypted using SSL/TLS connections. Alternatively, your SSL/TLS connection can verify the identity of your server by verifying the server certificate on your database instance. The general process for requiring server identity verification is as follows:
Step 1: Select the certificate authority (CA) that signs the database server certificate.
Step 2: If you are connecting to the database, you will need to download a certificate bundle. You may download a certificate bundle from Certificate bundles for all AWS regions or Certificate bundles for specific AWS regions.
Step 3: You should use the SSL/TLS connection method provided by your database engine to connect to the database. There are different processes for implementing SSL/TLS in each database engine. Follow the link that corresponds to your database engine to learn how to implement SSL/TLS for your database:
- Using SSL/TLS with an RDS for Db2 DB instance
- Using SSL/TLS with a MariaDB DB instance
- Using SSL with a Microsoft SQL Server DB instance
- Using SSL/TLS with a MySQL DB instance
- Using SSL with an RDS for Oracle DB instance
- Using SSL with a PostgreSQL DB instance
RDS provides the following CAs for signing the database server certificate.
Certificate authority (CA):-
rds-ca-2019
rds-ca-rsa2048-g1
rds-ca-rsa4096-g1
rds-ca-ecc384-g1
Note: Current recommended rds-ca-rsa2048-g1
A bundle of regional and global certificates contains these CA certificates. In the case of a database using a CA such as rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, or rds-ca-ecc384-g1, RDS manages the server certificate on the database. Before the DB server certificate expires, RDS automatically rotates it.
Setting up your database’s CA
The following method can be used to set the CA for a database:
- When you create a DB instance, you can specify the CA.
- Setting the CA for a DB instance can be accomplished by modifying the instance.
CAs are available depending on the database engine and version of the database engine. As shown in the following image, you can choose the CA when using the AWS Management Console.
Viewing the CA for your database
According to the following image, you can view the details about the CA for a DB instance under the Connectivity & Security tab in the console.
AWS certificate bundles for all regions
Download a certificate bundle containing both intermediate and root certificates for all AWS regions by clicking here
For Microsoft Windows and requires a PKCS7 file click here
For example, we are doing this on mysql – RDS
Encrypting client connections to MySQL DB instances with SSL/TL
When Amazon RDS provisions a DB instance, the certificate is installed on the instance using an SSL/TLS certificate that Amazon RDS creates. The certificates are issued by a certificate authority. In order to prevent spoofing attacks, the SSL/TLS certificate includes the DB instance endpoint as the Common Name (CN).
MySQL uses OpenSSL for secure connections. Amazon RDS for MySQL supports Transport Layer Security (TLS) versions 1.0, 1.1, 1.2, and 1.3. TLS support depends on the MySQL version.
Specific user accounts can be required to use SSL/TLS. In order to require SSL/TLS connections on the encrypted_user account, you can use one of the following statements, depending on your MySQL version.
To do so, use the following statement.
ALTER USER 'encrypted_user'@'%' REQUIRE SSL;
You can require SSL/TLS encryption for all connections to your MySQL database instance using the require_secure_transport parameter. In the default configuration, the require_secure_transport parameter is set to OFF. When the require_secure_transport parameter is set to ON, SSL/TLS will be required for all connections to your database.
By updating the DB parameter group for your DB instance, you can set the require_secure_transport parameter value. For the change to take effect, you do not need to reboot your database instance.
An encrypted connection can be established with a database instance when the require_secure_transport parameter is set to ON. If this is not the case, the client will receive an error message similar to the following:
MySQL Error 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON.