okram999/Enforce SSL in RDS Postgres DB instance.md

Last active February 15, 2019 15:19

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/okram999/d712d205876d75bba267084da7731492.js"></script>
Save okram999/d712d205876d75bba267084da7731492 to your computer and use it in GitHub Desktop.

Download ZIP

Enforce SSL in RDS Postgres DB instance

Raw

Enforce SSL in RDS Postgres DB instance.md

Requiring SSL in AWS RDS Postgres DB instance

SSL Certificate:

Obtain the root cert from: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem . This cert will be used for connecting to the db instance when SSL is enforced

Create the new parameter group:

Create a new parameter grp based on the DB engine version, as all the db instances are in default parameter grp [Default parameter grps cannot be modified]
Change the rds.force_ssl to 1 from 0

Change the DB configuration:

Minize the db connections (Or choose off hours/stop services/drop all connections) Optional
Take a manual snapshot of the Database *optional if enabled with daily backup - aws stores the transactional logs.
Apply the new parameter grp to the db instance (created in #2) with immediate effect.
Reboot the db instance to get the new parameter change applied
- In case of MultiAZ DB, reboot with "force failover"

Note: By default Postgres DB in RDS, comes with 'ssl connection' turned ON, BUT not enforced. This means that it can accept both SSL and non SSL connections

Impact on the Application, post the change:

App must use the SSL cert (from #1) to connect to the DB
Non SSL connections will fail

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment