Creating the security-related parameter group Modifying security-related parameters Associating the security-related parameter group with your DB instance

Configuring SQL Server security protocols and ciphers

You can turn certain security protocols and ciphers on and off using DB parameters. The security parameters that you can configure (except for TLS version 1.2) are shown in the following table.

DB parameter	Allowed values (default in bold)	Description
rds.tls10	default, enabled, disabled	TLS 1.0.
rds.tls11	default, enabled, disabled	TLS 1.1.
rds.tls12	default	TLS 1.2. You can't modify this value.
rds.fips	0, 1	When you set the parameter to 1, RDS forces the use of modules that are compliant with the Federal Information Processing Standard (FIPS) 140-2 standard. For more information, see Use SQL Server 2016 in FIPS 140-2-compliant mode in the Microsoft documentation.
rds.rc4	default, enabled, disabled	RC4 stream cipher.
rds.diffie-hellman	default, enabled, disabled	Diffie-Hellman key-exchange encryption.
rds.diffie-hellman-min-key-bit-length	default, 1024, 2048, 3072, 4096	Minimum bit length for Diffie-Hellman keys.
rds.curve25519	default, enabled, disabled	Curve25519 elliptic-curve encryption cipher. This parameter isn't supported for all engine versions.
rds.3des168	default, enabled, disabled	Triple Data Encryption Standard (DES) encryption cipher with a 168-bit key length.

Note

For minor engine versions after 16.00.4120.1, 15.00.4365.2, 14.00.3465.1, 13.00.6435.1, and 12.00.6449.1, the default setting for the DB parameters rds.tls10, rds.tls11, rds.rc4, rds.curve25519, and rds.3des168 is disabled. Otherwise the default setting is enabled.

For minor engine versions after 16.00.4120.1, 15.00.4365.2, 14.00.3465.1, 13.00.6435.1, and 12.00.6449.1, the default setting for rds.diffie-hellman-min-key-bit-lengthis 3072. Otherwise the default setting is 2048.

Use the following process to configure the security protocols and ciphers:

Create a custom DB parameter group.
Modify the parameters in the parameter group.
Associate the DB parameter group with your DB instance.

For more information on DB parameter groups, see Parameter groups for Amazon RDS.

Creating the security-related parameter group

Create a parameter group for your security-related parameters that corresponds to the SQL Server edition and version of your DB instance.

The following procedure creates a parameter group for SQL Server Standard Edition 2016.

To create the parameter group

Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.
In the navigation pane, choose Parameter groups.
Choose Create parameter group.
In the Create parameter group pane, do the following:
1. For Parameter group family, choose sqlserver-se-13.0.
2. For Group name, enter an identifier for the parameter group, such as sqlserver-ciphers-se-13.
3. For Description, enter Parameter group for security protocols and ciphers.
Choose Create.

The following procedure creates a parameter group for SQL Server Standard Edition 2016.

To create the parameter group

Run one of the following commands.

For Linux, macOS, or Unix:


aws rds create-db-parameter-group \
    --db-parameter-group-name sqlserver-ciphers-se-13 \
    --db-parameter-group-family "sqlserver-se-13.0" \
    --description "Parameter group for security protocols and ciphers"

For Windows:


aws rds create-db-parameter-group ^
    --db-parameter-group-name sqlserver-ciphers-se-13 ^
    --db-parameter-group-family "sqlserver-se-13.0" ^
    --description "Parameter group for security protocols and ciphers"

Modifying security-related parameters

Modify the security-related parameters in the parameter group that corresponds to the SQL Server edition and version of your DB instance.

The following procedure modifies the parameter group that you created for SQL Server Standard Edition 2016. This example turns off TLS version 1.0.

To modify the parameter group

Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.
In the navigation pane, choose Parameter groups.
Choose the parameter group, such as sqlserver-ciphers-se-13.
Under Parameters, filter the parameter list for rds.
Choose Edit parameters.
Choose rds.tls10.
For Values, choose disabled.
Choose Save changes.

The following procedure modifies the parameter group that you created for SQL Server Standard Edition 2016. This example turns off TLS version 1.0.

To modify the parameter group

Run one of the following commands.

For Linux, macOS, or Unix:


aws rds modify-db-parameter-group \
    --db-parameter-group-name sqlserver-ciphers-se-13 \
    --parameters "ParameterName='rds.tls10',ParameterValue='disabled',ApplyMethod=pending-reboot"

For Windows:


aws rds modify-db-parameter-group ^
    --db-parameter-group-name sqlserver-ciphers-se-13 ^
    --parameters "ParameterName='rds.tls10',ParameterValue='disabled',ApplyMethod=pending-reboot"

Associating the security-related parameter group with your DB instance

To associate the parameter group with your DB instance, use the AWS Management Console or the AWS CLI.

You can associate the parameter group with a new or existing DB instance:

For a new DB instance, associate it when you launch the instance. For more information, see Creating an Amazon RDS DB instance.
For an existing DB instance, associate it by modifying the instance. For more information, see Modifying an Amazon RDS DB instance.

You can associate the parameter group with a new or existing DB instance.

To create a DB instance with the parameter group

Specify the same DB engine type and major version as you used when creating the parameter group.

For Linux, macOS, or Unix:


aws rds create-db-instance \
    --db-instance-identifier mydbinstance \
    --db-instance-class db.m5.2xlarge \
    --engine sqlserver-se \
    --engine-version 13.00.5426.0.v1 \
    --allocated-storage 100 \
    --master-user-password secret123 \
    --master-username admin \
    --storage-type gp2 \
    --license-model li \
    --db-parameter-group-name sqlserver-ciphers-se-13

For Windows:


aws rds create-db-instance ^
    --db-instance-identifier mydbinstance ^
    --db-instance-class db.m5.2xlarge ^
    --engine sqlserver-se ^
    --engine-version 13.00.5426.0.v1 ^
    --allocated-storage 100 ^
    --master-user-password secret123 ^
    --master-username admin ^
    --storage-type gp2 ^
    --license-model li ^
    --db-parameter-group-name sqlserver-ciphers-se-13

Note

Specify a password other than the prompt shown here as a security best practice.

To modify a DB instance and associate the parameter group

Run one of the following commands.

For Linux, macOS, or Unix:


aws rds modify-db-instance \
    --db-instance-identifier mydbinstance \
    --db-parameter-group-name sqlserver-ciphers-se-13 \
    --apply-immediately

For Windows:


aws rds modify-db-instance ^
    --db-instance-identifier mydbinstance ^
    --db-parameter-group-name sqlserver-ciphers-se-13 ^
    --apply-immediately

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using SSL with a SQL Server DB instance

Updating applications for new SSL/TLS certificates