Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Using SSL with a DB Instance Running the Microsoft SQL Server Database Engine

You can use Secure Sockets Layer (SSL) to encrypt connections between your client applications and your Amazon RDS DB instances running Microsoft SQL Server. SSL support is available in all AWS regions for all supported SQL Server editions. Amazon RDS creates an SSL certificate for your SQL Server DB instance when the instance is created. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks.

Note

All SQL Server instances created after August 5, 2014, use the DB instance endpoint in the Common Name (CN) field of the SSL certificate. Prior to August 5, 2014, SSL certificate verification was not available for VPC-based SQL Server instances. If you have a VPC-based SQL Server DB instance that was created before August 5, 2014, and you want to use SSL certificate verification and ensure that the instance endpoint is included as the CN for the SSL certificate for that DB instance, then rename the instance. When you rename a DB instance, a new certificate is deployed and the instance is rebooted to enable the new certificate.

Requiring Connections to Your DB Instance to Use SSL

You can require that all connections to your DB instance use SSL. If you want to require this, use the rds.force_ssl parameter. By default, the rds.force_ssl parameter is set to false. Set the rds.force_ssl parameter to true to require connections to use SSL. The rds.force_ssl parameter is static, so after you change the value, you must reboot your DB instance for the change to take effect.

To require all connections to your DB instance to use SSL

  1. Determine the parameter group that is attached to your DB instance.

    1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

    2. In the top right corner of the Amazon RDS console, select the region of your DB instance.

    3. In the navigation pane, choose DB Instances, and then select your DB instance.

    4. Choose the Details tab. Find the Parameter Group field in the Configuration Details section.

  2. If necessary, create a new parameter group. If your DB instance uses the default parameter group, you must create a new parameter group. If your DB instance uses a nondefault parameter group, you can choose to edit the existing parameter group or to create a new parameter group. If you edit an existing parameter group, the change affects all DB instances that use that parameter group.

    To create a new parameter group, follow the instructions in Creating a DB Parameter Group.

  3. Edit your new or existing parameter group to set the rds.force_ssl parameter to true. To edit the parameter group, follow the instructions in Modifying Parameters in a DB Parameter Group.

  4. If you created a new parameter group, modify your DB instance to attach the new parameter group. Modify the DB Parameter Group setting of the DB instance. For more information, see Modifying a DB Instance Running the Microsoft SQL Server Database Engine.

  5. Reboot your DB instance. For more information, see Rebooting a DB Instance.

Obtaining Certificates for Client Computers

To encrypt connections from a client computer to an Amazon RDS DB instance running Microsoft SQL Server, you need a certificate on your client computer.

To obtain that certificate, download the certificate to your client computer. You can download a root certificate that works for all regions from https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem. You can download a certificate bundle that contains both the old and new root certificates from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem. For region-specific intermediate certificates, and more information, see Using SSL to Encrypt a Connection to a DB Instance.

After you have downloaded the appropriate certificate, import the certificate into your Microsoft Windows operating system by following the procedure in the section following.

Importing Certificates on Client Computers

You can use the following procedure to import your certificate into the Microsoft Windows operating system on your client computer.

To import the certificate into your Windows operating system:

  1. On the Start menu, type Run in the search box and press Enter.

  2. In the Open box, type MMC and then choose OK.

  3. In the MMC console, on the File menu, choose Add/Remove Snap-in.

  4. In the Add or Remove Snap-ins dialog box, for Available snap-ins, select Certificates, and then choose Add.

  5. In the MMC console, on the File menu, choose Add/Remove Snap-in.

  6. In the Certificates snap-in dialog box, choose Computer account, and then choose Next.

  7. In the Select computer dialog box, choose Finish.

  8. In the Add or Remove Snap-ins dialog box, choose OK.

  9. In the MMC console, expand Certificates, open the context (right-click) menu for Trusted Root Certification Authorities, choose All Tasks, and then choose Import.

  10. On the first page of the Certificate Import Wizard, choose Next.

  11. On the second page of the Certificate Import Wizard, choose Browse. In the browse window, change the file type to All files (*.*) because .pem is not a standard certificate extension. Locate the .pem file that you downloaded previously.

  12. Choose Open to select the certificate file, and then choose Next.

  13. On the third page of the Certificate Import Wizard, choose Next.

  14. On the fourth page of the Certificate Import Wizard, choose Finish. A dialog box appears indicating that the import was successful.

  15. In the MMC console, expand Certificates, expand Trusted Root Certification Authorities, and then choose Certificates. Locate the certificate to confirm it exists, as shown following.

  16. Restart your computer.

Encrypting Connections to an Amazon RDS DB Instance Running Microsoft SQL Server

After you have imported a certificate into your client computer, you can encrypt connections from the client computer to an Amazon RDS DB instance running Microsoft SQL Server.

For SQL Server Management Studio, use the following procedure. For more information about SQL Server Management Studio, see Use SQL Server Management Studio.

To encrypt connections from SQL Server Management Studio

  1. Launch SQL Server Management Studio.

  2. For Connect to server, type the server information, login user name, and password.

  3. Choose Options.

  4. Select Encrypt connection.

  5. Choose Connect.

  6. Confirm that your connection is encrypted by running the following query. Verify that the query returns true for encrypt_option.

    Copy
    select ENCRYPT_OPTION from SYS.DM_EXEC_CONNECTIONS where SESSION_ID = @@SPID

For any other SQL client, use the following procedure.

To encrypt connections from other SQL clients

  1. Append encrypt=true to your connection string. This string might be available as an option, or as a property on the connection page in GUI tools.

    Note

    To enable SSL encryption for clients that connect using JDBC, you might need to add the Amazon RDS SQL certificate to the Java CA certificate (cacerts) store. You can do this by using the keytool utility.

  2. Confirm that your connection is encrypted by running the following query. Verify that the query returns true for encrypt_option.

    Copy
    select ENCRYPT_OPTION from SYS.DM_EXEC_CONNECTIONS where SESSION_ID = @@SPID