How to configure x509 client certificate based authentication to connect to AWS RDS based PostgreSQL

Question

We want to enforce encryption-in-motion for connecting to our PostgreSQL database hosted in Amazon AWS RDS. We followed the steps given here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.SSL

After doing the steps we are able to connect to the database with a command given below where we are using the root certificate provided by AWS:

    psql -h mydb.ckpjohsjh7j8.us-east-1.rds.amazonaws.com -p 5432 "dbname=mydb user=root password=mypassword sslrootcert=rds-combined-ca-bundle.pem sslmode=verify-full"

However, we are also able to connect without specifying the "sslrootcert" or "sslmode" parameters as seen in command below:

    psql -h mydb.ckpjohsjh7j8.us-east-1.rds.amazonaws.com -p 5432 "dbname=mydb user=root password=mypassword"

This means that x509 client certificate validation is not enabled for AWS RDS. I suppose there must be some way to generate my own private key and csr to get a public key signed by AWS or some way to configure customer provided private, public key. I searched the AWS documentation but could not locate any reference on how to enable it.

Could you please guide me on how to configure "enforcement" of x509 client certificate based authentication to connect to AWS RDS based PostgreSQL database?

Kind regards, Shashi

Answer 1

We contacted AWS support and got confirmation that RDS currently does not support configuring user generated, provided private on database server that could be used with corresponding signed public key. It's in their product backlog.