Menu
We want to enforce encryption-in-motion for connecting to our PostgreSQL database hosted in Amazon AWS RDS. We followed the steps given here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.SSL
After doing the steps we are able to connect to the database with a command given below where we are using the root certificate provided by AWS:
psql -h mydb.ckpjohsjh7j8.us-east-1.rds.amazonaws.com -p 5432 "dbname=mydb user=root password=mypassword sslrootcert=rds-combined-ca-bundle.pem sslmode=verify-full"
However, we are also able to connect without specifying the "sslrootcert" or "sslmode" parameters as seen in command below:
psql -h mydb.ckpjohsjh7j8.us-east-1.rds.amazonaws.com -p 5432 "dbname=mydb user=root password=mypassword"
This means that x509 client certificate validation is not enabled for AWS RDS. I suppose there must be some way to generate my own private key and csr to get a public key signed by AWS or some way to configure customer provided private, public key. I searched the AWS documentation but could not locate any reference on how to enable it.
Could you please guide me on how to configure "enforcement" of x509 client certificate based authentication to connect to AWS RDS based PostgreSQL database?
Kind regards, Shashi
857
For Amazon RDS for Oracle instances, you can turn on SSL mode by adding the SSL option in your custom option group. Amazon RDS for Oracle supports Transport Layer Security (TLS) versions 1.0 and 1.2. To use the Oracle SSL option, use the SQLNET. SSL_VERSION option setting in your option group.
You can set the rds. force_ssl parameter to 1 (on) to require SSL for connections to your DB instance. To change the value of this parameter, you need to create a custom DB parameter group. You then change the value for rds.
With SSL support compiled in, the PostgreSQL server can be started with SSL enabled by setting the parameter ssl to on in postgresql. conf. The server will listen for both normal and SSL connections on the same TCP port, and will negotiate with any connecting client on whether to use SSL .
We contacted AWS support and got confirmation that RDS currently does not support configuring user generated, provided private on database server that could be used with corresponding signed public key. It's in their product backlog.
188
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
