Ensure that Microsoft SQL Server and PostgreSQL instances provisioned with Amazon RDS have Transport Encryption feature enabled in order to meet security and compliance requirements. Transport Encryption is the AWS RDS feature that forces all connections to your SQL Server and PostgreSQL database instances to use SSL. Once enabled, the data transport encryption and decryption is handled transparently and does not require any additional action from you or your application.
This rule resolution is part of the Cloud Conformity solution
According to HIPAA Compliance, all connections made to Amazon RDS SQL Server and PostgreSQL instances that process, store and transmit PHI (Protected Health Information) must use encryption provided by the RDS Transport Encryption feature which basically enables the force SSL parameter.
Note: The instructions outlined in this conformity rule can be applied only for Microsoft SQL Server and PostgreSQL database instances.
Audit
To determine if your SQL Server or PostgreSQL instances have the RDS Transport Encryption feature enabled, perform the following steps:
Remediation / Resolution
To enable the Transport Encryption feature for your Microsoft SQL Server and PostgreSQL database instances, you need to update the necessary RDS parameter group and change the rds.force_ssl parameter value to 1. To update the RDS parameter group and reboot the required SQL Server and PostgreSQL instances, perform the following steps:
References
- AWS Documentation
- Amazon RDS FAQs
- Using SSL with a Microsoft SQL Server DB Instance
- Using SSL with a PostgreSQL DB Instance
- Working with DB Parameter Groups
- Rebooting a DB Instance
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-db-instances
- describe-db-parameters
- modify-db-parameter-group
- reboot-db-instance
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Enable AWS RDS Transport Encryption
Risk level: High