Trusting AWS RDS Certificates in Docker and Beanstalk

To connect to AWS RDS databases using TLS/SSL, the client must trust the certificate provided by RDS; RDS doesn’t use certificates trusted by the CAs (Certificate Authorities) included by operating systems.

Without TLS/SSL, the connection to the database isn’t secure, meaning an attacker on the network between the client (running in EC2) and the database (running RDS) could eavesdrop or modify data.

To trust the AWS RDS certificate authority, on Docker, for a Red Hat / CentOS / Fedora / Amazon Linux (or other Fedora-type system) derived container, add the following to the Dockerfile:

#!/bin/bash
set -e # stop on all errors
RUN curl "https://s3-us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem" --output /etc/pki/ca-trust/source/anchors/rds-combined-ca-us-gov-bundle.pem \
&& curl "https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem" --output /etc/pki/ca-trust/source/anchors/rds-combined-ca-bundle.pem \
&& update-ca-trust \
&& update-ca-trust force-enable

On AWS Elastic Beanstalk the .ebextensions mechanism can be used. In the jar/war/etc deployment archive, add this file:

.ebextensions/install_rds_certificates.config

packages:
  yum:
    bash: []
    curl: []
files:
  "/tmp/install_rds_certificates.sh":
    mode: "000755"
    owner: root
    group: root
    content: |
      #!/usr/bin/env bash
      set -Eeuo pipefail # stop on all errors
      AVAILABILITY_ZONE=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | cut -d\" -f4)
      if [[ ${AVAILABILITY_ZONE} == us-gov-* ]]
      then
	curl "https://s3-us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem" --output /etc/pki/ca-trust/source/anchors/rds-combined-ca-us-gov-bundle.pem
      else
	curl "https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem" --output /etc/pki/ca-trust/source/anchors/rds-combined-ca-bundle.pem
      fi
      update-ca-trust
      update-ca-trust force-enable
commands:
  01install_rds_certificates:
    command: "/tmp/install_rds_certificates.sh"

Next, modify the client to require a secure connection. For example, with the PostgreSQL JDBC client, add “?ssl=true” to the connection string url.

That it – you can now connect to your RDS database using SSL/TLS with the assurance that no MITM (Man In The Middle) attacks, eavesdropping attacks, etc are possible.

CC BY-SA 4.0 Trusting AWS RDS Certificates in Docker and Beanstalk by Craig Andrews is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

One thought on “Trusting AWS RDS Certificates in Docker and Beanstalk

  1. Thank you Craig for your instructions, those helped me.
    In my case I first tested the commands by opening a session of my EC2 (beanstalk) and updated the certificates:

    In the EC2 session I execute
    1.- curl “https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem” –output /etc/pki/ca-trust/source/anchors/rds-combined-ca-bundle.pemd:
    2.- sudo update-ca-trust
    3.- sudo update-ca-trust force-enable

    After seeing this actually working, then I modified my deployment script in CodeBuild.
    And in my jdbc connection, I just added the following parameter “?useSSL=true”

    Best regards,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.