Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable AWS RDS Transport Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: RDS-037

Ensure that the databases provisioned with Amazon RDS have Transport Encryption feature enabled in order to meet security and compliance requirements. Transport Encryption is the RDS feature that forces all connections to your database clusters/instances to use SSL. Once enabled, the data transport encryption and decryption is handled transparently and does not require any additional action from you or your application.

This rule resolution is part of the Conformity solution.

Security

According to HIPAA compliance, all connections made to Amazon RDS databases that process, store, and transmit PHI (Protected Health Information) must use encryption provided by the Transport Encryption feature. In Amazon RDS, Transport Encryption implements encryption in transit using the rds.force_ssl parameter for SQL Server, PostgreSQL and Aurora PostreSQL databases, and require_secure_transport parameter for MySQL, MariaDB and Aurora MySQL databases.


Audit

To determine if the Transport Encryption feature is enabled for your Amazon RDS databases, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console available at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Click on the name (link) of the Amazon RDS database that you want to examine. The type of the database engine used by each provisioned instance should be listed in the Engine column.

05 Select the Configuration tab and click on the name of the parameter group associated with the database instance, available under DB instance parameter group for database instances and under DB cluster parameter group for database clusters, to access the database parameters.

06 In the Parameters section, search for the correct parameter using Filter Parameters. For SQL Server, PostgreSQL and Aurora PostgreSQL databases, enter rds.force_ssl. For MySQL, Aurora MySQL and MariaDB databases, enter require_secure_transport.

07 Check the rds.force_ssl/require_secure_transport parameter value available in the Value column. For SQL Server, PostgreSQL and Aurora PostgreSQL databases, if the rds.force_ssl parameter value is set to 0, the Transport Encryption feature is not enabled. For MySQL, Aurora MySQL and MariaDB databases, if the require_secure_transport parameter value is set to OFF, the Transport Encryption feature is not enabled.

08 Repeat steps no. 4 – 7 for each Amazon RDS database available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

- For Amazon RDS database instances:

01 Run describe-db-instances command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon RDS database instance available in the selected AWS region:

aws rds describe-db-instances
  --region us-east-1
  --output table
  --query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return a table with the requested database instance identifiers:

---------------------------
|   DescribeDBInstances   |
+-------------------------+
|  cc-prod-db-instance    |
|  cc-test-db-instance    |
+-------------------------+

03 Execute describe-db-instances command (OSX/Linux/UNIX) using the name of the RDS database instance that you want to examine as the identifier parameter and custom query filters to describe the name of the parameter group associated with the selected instance:

aws rds describe-db-instances
  --region us-east-1
  --db-instance-identifier cc-prod-db-instance
  --query 'DBInstances[*].DBParameterGroups[*].DBParameterGroupName[]'

04 The command output should return the name of the associated parameter group:

[
	"cc-custom-param-group"
]

05 Run describe-db-parameters command (OSX/Linux/UNIX) with custom filtering to return the rds.force_ssl/require_secure_transport parameter configuration information available for the associated parameter group. The rds.force_ssl parameter value will be returned for SQL Server, PostgreSQL and Aurora PostgreSQL databases, and require_secure_transport parameter for MySQL, Aurora MySQL and MariaDB databases:

aws rds describe-db-parameters 
  --region us-east-1 
  --db-parameter-group-name cc-custom-param-group  
  --query 'Parameters[?(ParameterName==`rds.force_ssl` || ParameterName==`require_secure_transport`)]'

06 The command output should return the requested configuration information:

[
	{
		"ParameterName": "rds.force_ssl",
		"ParameterValue": "1",
		"Description": "Force SSL connections.",
		"Source": "system",
		"ApplyType": "dynamic",
		"DataType": "boolean",
		"AllowedValues": "0,1",
		"IsModifiable": true,
		"ApplyMethod": "pending-reboot"
	}
]

Check the "ParameterValue" attribute value for rds.force_ssl/require_secure_transport parameter to determine the Transport Encryption feature status. If the parameter value returned by the command output is "0" or the "ParameterValue" attribute is not listed at all, the rds.force_ssl/require_secure_transport database parameter is disabled, therefore the connections made to selected Amazon RDS database instance don't use SSL.

07 Repeat steps no. 3 – 6 for each Amazon RDS database instance available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

- For Amazon RDS Aurora database clusters:

01 Run describe-db-clusters command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon Aurora database cluster available in the selected AWS region:

aws rds describe-db-clusters 
  --region us-east-1 
  --output table 
  --query 'DBClusters[*].DBClusterIdentifier | []'

02 The command output should return a table with the existing Aurora database clusters:

-------------------------------
|     DescribeDBClusters      |
+-----------------------------+
|   cc-aurora-prod-cluster    |
|   cc-aurora-custom-cluster  |
+-----------------------------+

03 Execute describe-db-clusters command (OSX/Linux/UNIX) using the name of the Aurora database cluster that you want to examine as the identifier parameter and custom query filters to describe the name of the database cluster parameter group associated with the selected cluster:

aws rds describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-aurora-prod-cluster
  --query 'DBClusters[*].DBClusterParameterGroup'

04 The command output should return the name of the associated database cluster parameter group:

[
	"custom-aurora-param-group"
]

05 Run describe-db-cluster-parameters command (OSX/Linux/UNIX) with custom query filters to return the rds.force_ssl/require_secure_transport parameter configuration information available for the associated parameter group. The rds.force_ssl parameter value will be returned for Aurora PostgreSQL database clusters and require_secure_transport parameter for Aurora MySQL clusters:

aws rds describe-db-cluster-parameters 
  --region us-east-1 
  --db-cluster-parameter-group-name custom-aurora-param-group 
  --query 'Parameters[?(ParameterName==`rds.force_ssl` || ParameterName==`require_secure_transport`)]'

06 The command output should return the requested configuration information:

[
	{
		"ParameterName": "require_secure_transport",
		"ParameterValue": "OFF",
		"Description": "Whether client connections to the server are required to use some form of secure transport.",
		"Source": "user",
		"ApplyType": "dynamic",
		"DataType": "string",
		"AllowedValues": "ON,OFF",
		"IsModifiable": true,
		"ApplyMethod": "immediate",
		"SupportedEngineModes": [
			"provisioned"
		]
	}
]

Check the "ParameterValue" attribute value for rds.force_ssl/require_secure_transport parameter to determine the Transport Encryption feature status. If the parameter value returned by the command output is "0", "OFF", or the "ParameterValue" attribute is not listed at all, the rds.force_ssl/require_secure_transport database parameter is disabled, therefore the connections made to selected Amazon Aurora database cluster don't use SSL.

07 Repeat steps no. 3 – 6 for each Amazon Aurora database cluster available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To enable the Transport Encryption feature for your Amazon RDS databases, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Transport Encryption for Microsoft SQL Servers",
	"Parameters": {
		"DBInstanceName": {
			"Default": "mssql-database-instance",
			"Description": "RDS database instance name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "63",
			"AllowedPattern": "^[0-9a-zA-Z-/]*$",
			"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
		},
		"DBInstanceClass": {
				"Default": "db.t2.small",
				"Description": "DB instance class/type",
				"Type": "String",
				"ConstraintDescription": "Must provide a valid DB instance type."
		},
		"DBAllocatedStorage": {
			"Default": "20",
			"Description": "The size of the database (GiB)",
			"Type": "Number",
			"MinValue": "20",
			"MaxValue": "65536",
			"ConstraintDescription": "Must be between 20 and 65536 GiB."
		},
		"DBUsername": {
			"Description": "Master username for database access",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "16",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBPassword": {
			"NoEcho": "true",
			"Description": "Password for database access",
			"Type": "String",
			"MinLength": "8",
			"MaxLength": "41",
			"AllowedPattern": "[a-zA-Z0-9]*",
			"ConstraintDescription": "Must contain only alphanumeric characters."
		}
	},
	"Resources": {
		"RDSParameterGroup": {
			"Type": "AWS::RDS::DBParameterGroup",
			"Properties": {
				"Description": "Custom MySQL Parameter Group",
				"Family": "sqlserver-se-12.0",
				"Parameters": {
					"rds.force_ssl": "1"
				}
			}
		},
		"RDSInstance": {
			"Type": "AWS::RDS::DBInstance",
			"Properties": {
				"DBInstanceIdentifier": {
					"Ref": "DBInstanceName"
				},
				"MasterUsername": {
					"Ref": "DBUsername"
				},
				"MasterUserPassword": {
					"Ref": "DBPassword"
				},
				"DBInstanceClass": {
					"Ref": "DBInstanceClass"
				},
				"AllocatedStorage": {
					"Ref": "DBAllocatedStorage"
				},
				"DBParameterGroupName": {
					"Ref": "RDSParameterGroup"
				},
				"Engine": "sqlserver-se"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Transport Encryption for  Microsoft SQL Servers
	Parameters:
		DBInstanceName:
		Default: mssql-database-instance
		Description: RDS database instance name
		Type: String
		MinLength: '1'
		MaxLength: '63'
		AllowedPattern: ^[0-9a-zA-Z-/]*$
		ConstraintDescription: Must begin with a letter and must not end with a hyphen
			or contain two consecutive hyphens.
		DBInstanceClass:
		Default: db.t2.small
		Description: DB instance class/type
		Type: String
		ConstraintDescription: Must provide a valid DB instance type.
		DBAllocatedStorage:
		Default: '20'
		Description: The size of the database (GiB)
		Type: Number
		MinValue: '20'
		MaxValue: '65536'
		ConstraintDescription: Must be between 20 and 65536 GiB.
		DBUsername:
		Description: Master username for database access
		Type: String
		MinLength: '1'
		MaxLength: '16'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
			characters.
		DBPassword:
		NoEcho: 'true'
		Description: Password for database access
		Type: String
		MinLength: '8'
		MaxLength: '41'
		AllowedPattern: '[a-zA-Z0-9]*'
		ConstraintDescription: Must contain only alphanumeric characters.
	Resources:
		RDSParameterGroup:
		Type: AWS::RDS::DBParameterGroup
		Properties:
			Description: Custom MySQL Parameter Group
			Family: sqlserver-se-12.0
			Parameters:
			rds.force_ssl: '1'
		RDSInstance:
		Type: AWS::RDS::DBInstance
		Properties:
			DBInstanceIdentifier: !Ref 'DBInstanceName'
			MasterUsername: !Ref 'DBUsername'
			MasterUserPassword: !Ref 'DBPassword'
			DBInstanceClass: !Ref 'DBInstanceClass'
			AllocatedStorage: !Ref 'DBAllocatedStorage'
			DBParameterGroupName: !Ref 'RDSParameterGroup'
			Engine: sqlserver-se

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_db_parameter_group" "rds-parameter-group" {
name   = "sql-parameter-group"
family = "sqlserver-se-12.0"

# Enable Transport Encryption for  Microsoft SQL Servers
	parameter {
		name  = "rds.force_ssl"
		value = "1"
		apply_method = "pending-reboot" 
	}
}

resource "aws_db_instance" "rds-database-instance" {
	allocated_storage         = 50
	license_model             = "license-included"
	engine                    = "sqlserver-se"
	engine_version            = "12.00.4422.0.v1"
	instance_class            = "db.t3.small"
	username                  = "ccmysqluser01"
	password                  = "ccmysqluserpwd"
	parameter_group_name      = aws_db_parameter_group.rds-parameter-group.name
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console available at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Parameter groups.

04 Click on the name (link) of the parameter group that you want to configure and choose Edit.

05 In the Modifiable parameters section, enter rds.force_ssl in the Filter Parameters search box for SQL Server, PostgreSQL and Aurora PostreSQL databases, and type require_secure_transport in the search box for MySQL, MariaDB and Aurora MySQL databases.

06 For the rds.force_ssl database parameter, enter 1 in the Value configuration box to enable the Transport Encryption feature. For the require_secure_transport parameter, enter ON in the Value box to enable Transport Encryption.

07 Choose Save changes to apply the configuration changes.

08 Once the associated parameter group is successfully updated, select Databases from the left navigation panel.

09 Select the Amazon RDS database that you want to reboot, associated with the reconfigured parameter group, choose Actions, and select Reboot.

10 On the confirmation page, choose Confirm to reboot the selected RDS database.

11 Repeat steps no. 4 – 10 for each Amazon RDS database available within the current AWS region.

12 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

- For Amazon RDS database instances:

01 Run modify-db-parameter-group command (OSX/Linux/UNIX) to update the database parameter group associated with your Amazon RDS database instance and set the rds.force_ssl parameter value to 1 or require_secure_transport parameter value to ON. The following example sets rds.force_ssl parameter value to 1 after the database reboot:

aws rds modify-db-parameter-group
  --region us-east-1
  --db-parameter-group-name cc-custom-param-group
  --parameters ParameterName="rds.force_ssl",ParameterValue="1",ApplyMethod="pending-reboot"

02 The command output should return the name of the modified parameter group:

{
	"DBParameterGroupName": "cc-custom-param-group"
}

03 In order to take effect, you must reboot the associated RDS database instance. Run reboot-db-instance command (OSX/Linux/UNIX) to reboot the selected database instance:

aws rds reboot-db-instance
  --region us-east-1
  --db-instance-identifier cc-prod-db-instance

04 The command output should return the configuration information of the rebooted database instance:

{
	"DBInstance": {
		"PubliclyAccessible": true,
		"MasterUsername": "admin",
		"MonitoringInterval": 0,
		"LicenseModel": "license-included",
		"VpcSecurityGroups": [
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-0abcdbacdabcdabcd"
			}
		],
		"CopyTagsToSnapshot": true,
		"PendingModifiedValues": {},
		"Engine": "sqlserver-ex",
		"MultiAZ": false,
		"DBSecurityGroups": [],
		"DBParameterGroups": [
			{
				"DBParameterGroupName": "cc-custom-param-group",
				"ParameterApplyStatus": "in-sync"
			}
		],
		"PerformanceInsightsEnabled": false,
		"AutoMinorVersionUpgrade": false,
		"PreferredBackupWindow": "06:28-06:58",
		"ReadReplicaDBInstanceIdentifiers": [],
		"AllocatedStorage": 50,
		"DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:database-1",
		"BackupRetentionPeriod": 0,
		"PreferredMaintenanceWindow": "tue:07:08-tue:07:38",
		"Endpoint": {
			"HostedZoneId": "ABCDABCDABCD",
			"Port": 1433,
			"Address": "database-1.abcdabcdabcd.us-east-1.rds.amazonaws.com"
		},
		"DBInstanceStatus": "rebooting",
		"IAMDatabaseAuthenticationEnabled": false,
		"EngineVersion": "15.00.4073.23.v1",
		"DeletionProtection": false,
		"CharacterSetName": "SQL_Latin1_General_CP1_CI_AS",
		"AvailabilityZone": "us-east-1d",
		"DomainMemberships": [],
		"StorageType": "gp2",
		"DbiResourceId": "db-ABCDABCDABCDABCDABCD",
		"CACertificateIdentifier": "rds-ca-2019",
		"StorageEncrypted": false,
		"AssociatedRoles": [],
		"DBInstanceClass": "db.t3.small",
		"DbInstancePort": 0,
		"DBInstanceIdentifier": "cc-prod-db-instance"
	}
}

05 Repeat steps no. 1 – 4 for each Amazon RDS database instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

- For Amazon RDS Aurora database clusters:

01 Run modify-db-cluster-parameter-group command (OSX/Linux/UNIX) to update the database cluster parameter group associated with your Aurora database cluster and set the require_secure_transport parameter value to ON or rds.force_ssl parameter value to 1. The following example sets require_secure_transport parameter value to ON immediately. When the ApplyMethod is set to "immediate", changes to dynamic parameters such as require_secure_transport are applied immediately to the Aurora database clusters associated with the parameter group:

aws rds modify-db-cluster-parameter-group 
  --region us-east-1 
  --db-cluster-parameter-group-name custom-aurora-param-group 
  --parameters ParameterName="require_secure_transport",ParameterValue="ON",ApplyMethod="immediate"

02 The command output should return the name of the modified database cluster parameter group:

{
	"DBClusterParameterGroupName": "custom-aurora-param-group"
}

03 Repeat steps no. 1 and 2 for each Amazon Aurora database cluster available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Nov 13, 2017