To connect to AWS RDS databases using TLS/SSL, the client must trust the certificate provided by RDS; RDS doesn’t use certificates trusted by the CAs (Certificate Authorities) included by operating systems.
Without TLS/SSL, the connection to the database isn’t secure, meaning an attacker on the network between the client (running in EC2) and the database (running RDS) could eavesdrop or modify data.
To trust the AWS RDS certificate authority, on Docker, for a Red Hat / CentOS / Fedora / Amazon Linux (or other Fedora-type system) derived container, add the following to the Dockerfile:
#!/bin/bash
set -e # stop on all errors
RUN curl "https://s3-us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem" --output /etc/pki/ca-trust/source/anchors/rds-combined-ca-us-gov-bundle.pem \
&& curl "https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem" --output /etc/pki/ca-trust/source/anchors/rds-combined-ca-bundle.pem \
&& update-ca-trust \
&& update-ca-trust force-enable
On AWS Elastic Beanstalk the .ebextensions mechanism can be used. In the jar/war/etc deployment archive, add this file:
.ebextensions/install_rds_certificates.config
packages:
yum:
bash: []
curl: []
files:
"/tmp/install_rds_certificates.sh":
mode: "000755"
owner: root
group: root
content: |
#!/usr/bin/env bash
set -Eeuo pipefail # stop on all errors
AVAILABILITY_ZONE=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | cut -d\" -f4)
if [[ ${AVAILABILITY_ZONE} == us-gov-* ]]
then
curl "https://s3-us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem" --output /etc/pki/ca-trust/source/anchors/rds-combined-ca-us-gov-bundle.pem
else
curl "https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem" --output /etc/pki/ca-trust/source/anchors/rds-combined-ca-bundle.pem
fi
update-ca-trust
update-ca-trust force-enable
commands:
01install_rds_certificates:
command: "/tmp/install_rds_certificates.sh"
Next, modify the client to require a secure connection. For example, with the PostgreSQL JDBC client, add “?ssl=true” to the connection string url.
That it – you can now connect to your RDS database using SSL/TLS with the assurance that no MITM (Man In The Middle) attacks, eavesdropping attacks, etc are possible.
Trusting AWS RDS Certificates in Docker and Beanstalk by Craig Andrews is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Thank you Craig for your instructions, those helped me.
In my case I first tested the commands by opening a session of my EC2 (beanstalk) and updated the certificates:
In the EC2 session I execute
1.- curl “https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem” –output /etc/pki/ca-trust/source/anchors/rds-combined-ca-bundle.pemd:
2.- sudo update-ca-trust
3.- sudo update-ca-trust force-enable
After seeing this actually working, then I modified my deployment script in CodeBuild.
And in my jdbc connection, I just added the following parameter “?useSSL=true”
Best regards,