AWS GovCloud (US)
User Guide

Amazon Relational Database Service (Amazon RDS)

Special Notice About Rotating SSL Certificates

If you are an Amazon RDS customer with RDS database instances in the GovCloud (US) Region, you received an email from AWS on May 18, 2017 notifying you about rotating your SSL certificates. New SSL certification authority (CA) and certificates for RDS database instances in the GovCloud (US) Region were made available on May 20, 2017. Action is required by all RDS customers who use SSL-secured database connections to maintain connectivity to their database instances after the update. The information provided here provides details about the announcement, explains how to tell if you are affected, and lets you know what you should do to maintain connectivity to your database instances.

What is the announcement about?

A new certification authority (CA) for RDS database instances in the GovCloud (US) Region has been available since May 20, 2017. Clients connecting to RDS databases must be updated to support the new CA, and RDS database instances must be updated to receive a new certificate from this CA. The current CA expires on August 15, 2017 at 20:00 UTC.

How do I know if my RDS instances are affected?

You are affected if you have database applications that are using SSL to connect to RDS for MariaDB, RDS for MySQL, RDS for PostgreSQL, RDS for Oracle, or RDS for SQL Server database instances in the GovCloud (US) Region. RDS for Oracle instances that use Native Network Encryption (NNE) for secure connections are not affected.

This certificate rotation only affects database instances in the GovCloud (US) Region.

What do I have to do to maintain connectivity?

To maintain connectivity, before August 15, 2017 at 20:00 UTC, you need to update the CA certificates your client or application is using to connect to RDS. Follow these steps:

  1. Download the new AWS GovCloud certification authority (CA) bundle from this page: Using SSL to Encrypt a Connection to a DB Instance.

  2. Use the new CA certificates you downloaded in the previous step to update your database client or application by following the steps on the download page. The certificate bundle contains certificates for both the old and new CA, so you can upgrade your application safely and maintain connectivity during the transition period. This action is specific to the configuration of your client or application.

  3. This step will cause your DB instance to be offline briefly while the certificate is swapped. For your RDS instance, choose Modify on the AWS Management Console (or use the ModifyDBInstance API) to change the CA from rds-ca-2012-us-gov-west-1 to rds-ca-2017-us-gov-west-1, and then click Apply Immediately. This operation will update the SSL certificates on the RDS instance and initiate a reboot operation to force the new certificates to take effect. Your instance will be unavailable during this reboot operation, which typically takes less than two minutes to complete. In some cases, such as when a database has a large number of tables, a reboot might take longer. For more information, see Best Practices for Amazon RDS.

Note that these steps must be performed before August 15, 2017 at 20:00 UTC. If you are unable to complete all three steps by this time, your client or application will be unable to connect to your database instance using SSL.

What if I create new instances before August 15, 2017?

Any new database instances created after July 21, 2017 will use the new certificate (rds-ca-2017) by default. If you want to temporarily modify new instances manually to use the old certificates (rds-ca-2012), you can do so by using the AWS Management Console or the API. Any instances created prior to July 21, 2017 will have the rds-ca-2012 certificates until you update them to the rds-ca-2017 version.

What if I have questions or issues?

If you have questions or issues, contact AWS Support or your Technical Account Manager (TAM).

The following list details the differences for using this service in the AWS GovCloud (US) Region compared to other AWS regions:

  • In the AWS GovCloud (US) Region, all Amazon RDS instances must be launched in an Amazon VPC.

  • DB event notifications via SMS are not supported in the AWS GovCloud (US) Region.

For more information about Amazon RDS, see the Amazon Relational Database Service documentation.

ITAR Boundary

The ITAR boundary defines where customers are allowed to store ITAR-regulated data for this service in the AWS GovCloud (US) Region. You must comply with the boundaries in order to maintain ITAR compliance. If you do not have any ITAR-regulated data in the AWS GovCloud (US) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted

ITAR-Regulated Data Not Permitted

  • Amazon RDS master passwords are protected as ITAR-regulated data.

  • All data stored and processed in Amazon RDS database tables can contain ITAR-regulated data. You cannot transfer ITAR-regulated data in and out of your Amazon RDS instance using the API or CLI. You must use database tools for data transfer of ITAR-regulated data.

  • Amazon RDS metadata is not permitted to contain ITAR-regulated data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon RDS instances except the master password.

  • Do not enter ITAR-regulated data in the following fields:

    • Database instance identifier

    • Master user name

    • Database name

    • Database snapshot name

    • Database security group name

    • Database security group description

    • Database parameter group name

    • Database parameter group description

    • Option group name

    • Option group description

    • Database subnet group name

    • Database subnet group description

    • Event subscription name

    • Resource tags

If you are processing ITAR-regulated data with Amazon RDS, follow these guidelines in order to maintain ITAR compliance:

  • When you use the console or the AWS APIs, the only data field that is protected as ITAR-regulated data is the Amazon RDS Master Password.

  • After you create your database, change the master password of your Amazon RDS instance by directly using the database client.

  • You can enter ITAR-regulated data into any data fields by using your database client-side tools. Do not pass ITAR-regulated data by using the web service APIs that are provided by Amazon RDS.

  • To secure ITAR-regulated data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.

    • For example, if you're running an application server on an Amazon EC2 instance that connects to an Amazon RDS database instance, a non-U.S. person could reconfigure the DNS to redirect ITAR-regulated data out of the VPC and into any server that might be outside of the AWS GovCloud (US) Region.

      To prevent this type of attack and to maintain ITAR compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see Network ACLs in the Amazon VPC User Guide.

  • For each database instance that contains ITAR-regulated data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the database instance, especially when an Internet gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US) Region or other ITAR-controlled environments to ITAR-controlled database instances.

If you are processing ITAR-regulated data with this service, use the SSL (HTTPS) endpoint to maintain ITAR compliance. For a list of endpoints, see AWS GovCloud (US) Endpoints.