Search code examples
sslamazon-aurora

How to enable Amazon Aurora MySQL DB instance with SSL/TLS?

I am trying to enable SSL/TLS for all connections to an Amazon Aurora MySQL compatible instance. I went through the AWS documentation, but I couldn't find the corresponding parameter value to enforce this at the instance level.

I am able to connect to the RDS at the user level using the below command

mysql -h rdsinstance.us-west-2.rds.amazonaws.com --ssl-ca=us-ca.pem --ssl-mode=REQUIRED -P 3306 -u user123 -p

mysql> \s
--------------
mysql  Ver 8.0.31 for Win64 on x86_64 (MySQL Community Server - GPL)

Connection id:          41
Current database:
Current user:           [email protected]
SSL:                    Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Using delimiter:        ;
Server version:         5.7.12 MySQL Community Server (GPL)
Protocol version:       10
Connection:             rdsinstance.us-west-2.rds.amazonaws.com via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    cp850
Conn.  characterset:    cp850
TCP port:               3306

But I want all connections to the database using SSL.

I am not sure if it's because of the community version. Thank you.

Solution

  • As per the AWS documentation, You can set the require_secure_transport parameter to ON to require SSL/TLS for connections to your DB cluster. By default, the require_secure_transport parameter is set to OFF.

    Special Note as per documentation: The require_secure_transport parameter is only available for Aurora MySQL version 5.7. You can set this parameter in a custom DB cluster parameter group. The parameter isn't available in DB instance parameter groups.

    refer to the Requiring an SSL/TLS connection to an Aurora MySQL DB cluster section from the AWS documentation URL: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.html#AuroraMySQL.Security.SSL

    if you have a custom DB cluster parameter group and the respected supported version already, please try

    aws rds modify-db-parameter-group \
    --db-parameter-group-name <parameter-group-name> \
    --parameters "ParameterName='require_secure_transport',ParameterValue=ON,ApplyMethod=immediate"

    refer to modify-db-parameter-group for all list of supported arguments with the command.