Enable AWS RDS Transport Encryption

Risk level: High (not acceptable risk)

Rule ID: RDS-037

Ensure that Microsoft SQL Server and PostgreSQL instances provisioned with Amazon RDS have Transport Encryption feature enabled in order to meet security and compliance requirements. Transport Encryption is the AWS RDS feature that forces all connections to your SQL Server and PostgreSQL database instances to use SSL. Once enabled, the data transport encryption and decryption is handled transparently and does not require any additional action from you or your application.

This rule resolution is part of the Cloud Conformity solution

Security

According to HIPAA Compliance, all connections made to Amazon RDS SQL Server and PostgreSQL instances that process, store and transmit PHI (Protected Health Information) must use encryption provided by the RDS Transport Encryption feature which basically enables the force SSL parameter.

Note: The instructions outlined in this conformity rule can be applied only for Microsoft SQL Server and PostgreSQL database instances.

Audit

To determine if your SQL Server or PostgreSQL instances have the RDS Transport Encryption feature enabled, perform the following steps:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Instances.

04 Select the RDS SQL Server or PostgreSQL instance that you want to examine. The type of the database engine used by each provisioned instance should be available in the Engine column.

05 Select the instance and navigate to the Configuration tab.

06 On the Instance section, within category, locate the Parameter group attribute and copy its value (i.e. parameter group name).

07 Go back to the left navigation panel and select Parameter groups.

08 On the Parameter groups listing page, paste the value copied at step no. 6 in the Filter parameter groups search box and press Enter.

09 Click on the name (link) of the parameter group returned at the previous step to access its parameters.

10 On the Parameter listing page, enter rds.force_ssl parameter name in the Filter parameters search box and press Enter.

11 Check the rds.force_ssl parameter value returned as result at the previous step. If the parameter value is set to 0, the client connections made to SQL Server instance do not use SSL, therefore the Transport Encryption feature is not enabled for the selected AWS RDS database instance.

12 Repeat steps no. 4 - 11 to verify the Transport Encryption feature status for other SQL Server and PostgreSQL instances provisioned in the current region.

13 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the names (identifiers) of all SQL Server and PostgreSQL database instances available in the selected AWS region:

aws rds describe-db-instances
	--region us-east-1
	--output table
	--query 'DBInstances[*].DBInstanceIdentifier'
  --filters Name=engine,Values=sqlserver-ex,postgres

02 The command output should return a table with the requested identifiers:

------------------------------
|  DescribeDBInstances       |
+----------------------------+
|  cc-slq-db-instance        |
|  cc-ms-db-instance         |
|  cc-postgres-db-instance   |
+----------------------------+

03 Execute again describe-db-instances command (OSX/Linux/UNIX) using the SQL Server or PostgreSQL instance name returned at the previous step as identifier and custom query filters to get the name of the parameter group used by the selected database instance:

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier cc-slq-db-instance
	--query 'DBInstances[*].DBParameterGroups[*].DBParameterGroupName[]'

04 The command output should return the name of the parameter group:

[
    "custom.sqlserver-ex-13.0"
]

05 Run describe-db-parameters command (OSX/Linux/UNIX) using custom query filters to return the rds.force_ssl parameter value available within the parameter group used by the SQL Server or PostgreSQL instance:

aws rds describe-db-parameters
	--region us-east-1
	--db-parameter-group-name custom.sqlserver-ex-13.0
	--query 'Parameters[?ParameterName==`rds.force_ssl`].ParameterValue'

06 The command output should return the requested parameter value:

[
    "0"
]

If the value returned by the command output is "0", the rds.force_ssl parameter is currently disabled, therefore the client connections made to selected SQL Server or PostgreSQL database instance do not use SSL.

07 Repeat steps no. 3 – 6 to verify the rds.force_ssl parameter value via AWS CLI for other SQL Server and PostgreSQL instances provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

To enable the Transport Encryption feature for your Microsoft SQL Server and PostgreSQL database instances, you need to update the necessary RDS parameter group and change the rds.force_ssl parameter value to 1. To update the RDS parameter group and reboot the required SQL Server and PostgreSQL instances, perform the following steps:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Parameter groups.

04 Select the RDS parameter group that you want to update (see Audit section part I to identify the right resource).

05 On the Parameter listing page, enter rds.force_ssl parameter name in the Filter parameters search box and press Enter.

06 Select the returned parameter then click the Edit parameters button from the dashboard top-right menu.

07 Select 1 from the Value dropdown list available next to the parameter name, then click Save changes to apply the changes.

08 Once the required parameter group is successfully updated and the rds.force_ssl parameter value is set to 1, go back to the left navigation panel and select Instances.

09 Select the SQL Server or PostgreSQL database instance that you want to reboot., then click Instance Actions button from the dashboard top menu and select Reboot.

10 Inside Reboot DB instance confirmation box, click Reboot to confirm the action. The RDS instance status should change to Rebooting, then back to Available.

11 Repeat steps no. 4 – 10 for each SQL Server and PostgreSQL database instance that doesn't have Transport Encryption feature enabled, available in the current region.

12 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run modify-db-parameter-group command (OSX/Linux/UNIX) to update the required AWS RDS parameter group (see Audit section part II to identify the right RDS resource) and set the rds.force_ssl parameter value to 1. To update this parameter, submit a list of the following command parameters: ParameterName, ParameterValue and ApplyMethod, as shown in the example below:

aws rds modify-db-parameter-group
	--region us-east-1
	--db-parameter-group-name custom.sqlserver-ex-13.0
	--parameters ParameterName="rds.force_ssl",ParameterValue="1",ApplyMethod="pending-reboot"

02 The command output should return the name of the modified RDS parameter group:

{
    "DBParameterGroupName": "custom.sqlserver-ex-13.0"
}

03 In order the parameter group change to take effect, you need to reboot the associated database instance. Execute reboot-db-instance command (OSX/Linux/UNIX) to reboot the necessary SQL Server or PostgreSQL database instance:

aws rds reboot-db-instance
	--region us-east-1
	--db-instance-identifier cc-slq-db-instance

04 The command output should return the rebooted RDS database instance metadata:

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "LicenseModel": "license-included",
        "Engine": "sqlserver-ex",
        "MultiAZ": false,
        "AutoMinorVersionUpgrade": false,
        "PreferredBackupWindow": "08:01-08:31",
        "ReadReplicaDBInstanceIdentifiers": [],
        "AllocatedStorage": 85,
        "DBInstanceStatus": "rebooting",

        ...

        "IAMDatabaseAuthenticationEnabled": false,
        "EngineVersion": "13.00.4422.0.v1",
        "AvailabilityZone": "us-east-1a",
        "DomainMemberships": [],
        "StorageType": "gp2",
        "CACertificateIdentifier": "rds-ca-2015",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.t2.medium",
        "DBInstanceIdentifier": "cc-slq-db-instance"
    }
}

05 Repeat steps no. 1 – 4 for each SQL Server and PostgreSQL database instance that doesn't have Transport Encryption feature enabled, available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.

References

AWS Command Line Interface (CLI) Documentation
rds
describe-db-instances
describe-db-parameters
modify-db-parameter-group
reboot-db-instance

Publication date Nov 13, 2017

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Enable AWS RDS Transport Encryption

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related RDS rules