AWS recently announced the need to:
Update Your Amazon RDS SSL/TLS Certificates by October 31, 2019
I have a Rails application hosted with a classic Elastic Beanstalk load balancer, which connects to a Postgres DB using RDS.
The required steps according to Amazon are:
(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html)
Since I have my load balancers set up like this (connecting to my EC2 instances via HTTP port 80 (not SSL), does this mean I don't need to follow steps 1 and 2? And only follow step 3?
Or do I have to download the updated certificates and install/add them to my Load balancer or EC instances manually? Not sure how to do that.
Step 1 & 2 only required if your application connection with MySQL is TLS encrypted.
Do not change LB TLS setting it can break your application, LB TLS is something else, where RDS TLS is something else.
If your application just creation plain connection you are safe to perform directly the step 3.
Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019.
Normally practice for DB, DB should be in private subnet and it should not accessible from the public, TLS is helpfull when your Database and Backend connection is on the internet, not within VPC.
With an unencrypted connection between the MySQL client and the server, someone with access to the network could watch all your traffic and inspect the data being sent or received between client and server.
There is a much easier answer to the question:
You do not need to install anything in your Beanstalk environment if you upgrade the CA Certificate used by the RDS attached to it. https://stackoverflow.com/a/59742149/7051819
Just follow point 3 and ignore 1 and 2.
(Yes I wrote that answer myself).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With