Summary Prerequisites and limitations Architecture Tools Best practices Epics Troubleshooting Related resources

Enable encrypted connections for PostgreSQL DB instances in Amazon RDS

Created by Rohit Kapoor (AWS)

Environment: PoC or pilot	Technologies: Databases; Networking; Security, identity, compliance	Workload: Open-source
AWS services: Amazon RDS; Amazon Aurora

Summary

Amazon Relational Database Service (Amazon RDS) supports SSL encryption for PostgreSQL DB instances. Using SSL, you can encrypt a PostgreSQL connection between your applications and your Amazon RDS for PostgreSQL DB instances. By default, Amazon RDS for PostgreSQL uses SSL/TLS and expects all clients to connect by using SSL/TLS encryption. Amazon RDS for PostgreSQL supports TLS versions 1.1 and 1.2.

This pattern describes how you can enable encrypted connections for an Amazon RDS for PostgreSQL DB instance. You can use the same process to enable encrypted connections for Amazon Aurora PostgreSQL-Compatible Edition.

Prerequisites and limitations

An active AWS account
An Amazon RDS for PostgreSQL DB instance
An SSL bundle

Architecture

Enabling encrypted connections for PostgreSQL DB instances in Amazon RDS

Tools

pgAdmin is an open-source administration and development platform for PostgreSQL. You can use pgAdmin on Linux, Unix, macOS, and Windows to manage your database objects in PostgreSQL 10 and later.
PostgreSQL editors provide a more user-friendly interface to help you create, develop, and run queries, and to edit code according to your requirements.

Best practices

Monitor unsecure database connections.
Audit database access rights.
Make sure that backups and snapshots are encrypted at rest.
Monitor database access.
Avoid unrestricted access groups.
Enhance your notifications with Amazon GuardDuty.
Monitor policy adherence regularly.

Epics

Task	Description	Skills required
Load a trusted certificate to your computer.	To add certificates to the Trusted Root Certification Authorities store for your computer, follow these steps. (These instructions use Window Server as a example.) In Windows Server, choose Start, Run, and then type mmc. In the console, choose File, Add/Remove Snap-in. Under Available snap-ins, choose Certificates, and then choose Add. Under This snap-in will always manage certificates for, choose Computer account, Next. Choose Local computer, Finish. If you have no more snap-ins to add to the console, choose OK. In the console tree, double-click Certificates. Right-click Trusted Root Certification Authorities. Choose All Tasks, Import to import the downloaded certificates. Follow the steps in the Certificate Import Wizard.	DevOps engineer, Migration engineer, DBA

Task Description Skills required

Task	Description	Skills required
Create a parameter group and set the rds.force_ssl parameter.	If the PostgreSQL DB instance has a custom parameter group, edit the parameter group and change `rds.force_ssl` to 1. If the DB instance uses the default parameter group that doesn’t have `rds.force_ssl` enabled, create a new parameter group. You can modify the new parameter group by using the Amazon RDS API or manually as in the following instructions. To create a new parameter group: Sign in to the AWS Management console and open the Amazon RDS console for the AWS Region that hosts the DB instance. In the navigation pane, choose Parameter groups. Choose Create parameter group, and set the following values: For Parameter group family, choose postgres14. For Group name, type pgsql-<database_instance>-ssl. For Description, enter a free-form description for the parameter group you’re adding. Choose Create. Choose the parameter group that you created. From Parameter group actions, choose Edit. Find rds.force_ssl and change its setting to 1. Note: Conduct client-side testing before changing this parameter. Choose Save changes. To associate the parameter group with your PostgreSQL DB instance: On the Amazon RDS console, in the navigation pane, choose Databases, and then choose the PostgreSQL DB instance. Choose Modify. Under Additional configuration, choose the new parameter group, and then choose Continue. Under Schedule modifications, choose Apply immediately. Choose Modify DB instance. For more information, see the Amazon RDS documentation.	DevOps engineer, Migration engineer, DBA
Force SSL connections.	Connect to the Amazon RDS for PostgreSQL DB instance. Connection attempts that don’t use SSL are rejected with an error message. For more information, see the Amazon RDS documentation.	DevOps engineer, Migration engineer, DBA

Create a parameter group and set the rds.force_ssl parameter.

If the PostgreSQL DB instance has a custom parameter group, edit the parameter group and change rds.force_ssl to 1.

If the DB instance uses the default parameter group that doesn’t have rds.force_ssl enabled, create a new parameter group. You can modify the new parameter group by using the Amazon RDS API or manually as in the following instructions.

To create a new parameter group:

Sign in to the AWS Management console and open the Amazon RDS console for the AWS Region that hosts the DB instance.
In the navigation pane, choose Parameter groups.
Choose Create parameter group, and set the following values:
- For Parameter group family, choose postgres14.
- For Group name, type pgsql-<database_instance>-ssl.
- For Description, enter a free-form description for the parameter group you’re adding.
- Choose Create.
Choose the parameter group that you created.
From Parameter group actions, choose Edit.
Find rds.force_ssl and change its setting to 1.
Note: Conduct client-side testing before changing this parameter.
Choose Save changes.

To associate the parameter group with your PostgreSQL DB instance:

On the Amazon RDS console, in the navigation pane, choose Databases, and then choose the PostgreSQL DB instance.
Choose Modify.
Under Additional configuration, choose the new parameter group, and then choose Continue.
Under Schedule modifications, choose Apply immediately.
Choose Modify DB instance.

For more information, see the Amazon RDS documentation.

DevOps engineer, Migration engineer, DBA

Force SSL connections.

Connect to the Amazon RDS for PostgreSQL DB instance. Connection attempts that don’t use SSL are rejected with an error message. For more information, see the Amazon RDS documentation.

DevOps engineer, Migration engineer, DBA

Task	Description	Skills required
Install the SSL extension.	Launch a psql or pgAdmin connection as a DBA. Call the ssl_is_used() function to determine if SSL is being used. `select ssl_is_used();` The function returns `t` if the connection is using SSL; otherwise, it returns `f`. Install the SSL extension. `create extension sslinfo; show ssl; select ssl_cipher();` For more information, see the Amazon RDS documentation.	DevOps engineer, Migration engineer, DBA

Task Description Skills required

Task	Description	Skills required
Configure a client for SSL.	By using SSL, you can start the PostgreSQL server with support for encrypted connections that use TLS protocols. The server listens for both standard and SSL connections on the same TCP port, and negotiates with any connecting client on whether to use SSL. By default, this is a client option. If you’re using the psql client: Make sure that the Amazon RDS certificate has been loaded to your local computer. Launch an SSL client connection by adding the following: `psql postgres -h SOMEHOST.amazonaws.com -p 8192 -U someuser sslmode=verify-full sslrootcert=rds-ssl-ca-cert.pem select ssl_cipher();` For other PostgreSQL clients: Modify the respective application public key parameter. This might be available as an option, as part of your connection string, or as a property on the connection page in GUI tools. Review the following pages for these clients: pgAdmin documentation JDBC documentation	DevOps engineer, Migration engineer, DBA

Configure a client for SSL.

By using SSL, you can start the PostgreSQL server with support for encrypted connections that use TLS protocols. The server listens for both standard and SSL connections on the same TCP port, and negotiates with any connecting client on whether to use SSL. By default, this is a client option.

If you’re using the psql client:

Make sure that the Amazon RDS certificate has been loaded to your local computer.

Launch an SSL client connection by adding the following:


psql postgres -h SOMEHOST.amazonaws.com -p 8192 -U someuser sslmode=verify-full sslrootcert=rds-ssl-ca-cert.pem
select ssl_cipher();

For other PostgreSQL clients:

Modify the respective application public key parameter. This might be available as an option, as part of your connection string, or as a property on the connection page in GUI tools.

Review the following pages for these clients:

DevOps engineer, Migration engineer, DBA

Troubleshooting

Issue	Solution
Cannot download the SSL certificate.	Check your connection to the website, and retry downloading the certificate to your local computer.

Related resources

Amazon RDS for PostgreSQL documentation
Using SSL with a PostgreSQL DB instance (Amazon RDS documentation)
Secure TCP/IP Connections with SSL (PostgreSQL documentation)
Using SSL (JDBC documentation)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Emulate Oracle RAC workloads using Aurora PostgreSQL

Encrypt an existing Amazon RDS for PostgreSQL DB instance