Enable encrypted connections for PostgreSQL DB instances in Amazon RDS
Created by Rohit Kapoor (AWS)
Environment: PoC or pilot | Technologies: Databases; Networking; Security, identity, compliance | Workload: Open-source |
AWS services: Amazon RDS; Amazon Aurora |
Summary
Amazon Relational Database Service (Amazon RDS) supports SSL encryption for PostgreSQL DB instances. Using SSL, you can encrypt a PostgreSQL connection between your applications and your Amazon RDS for PostgreSQL DB instances. By default, Amazon RDS for PostgreSQL uses SSL/TLS and expects all clients to connect by using SSL/TLS encryption. Amazon RDS for PostgreSQL supports TLS versions 1.1 and 1.2.
This pattern describes how you can enable encrypted connections for an Amazon RDS for PostgreSQL DB instance. You can use the same process to enable encrypted connections for Amazon Aurora PostgreSQL-Compatible Edition.
Prerequisites and limitations
An active AWS account
An SSL bundle
Architecture
Tools
pgAdmin
is an open-source administration and development platform for PostgreSQL. You can use pgAdmin on Linux, Unix, macOS, and Windows to manage your database objects in PostgreSQL 10 and later. PostgreSQL editors
provide a more user-friendly interface to help you create, develop, and run queries, and to edit code according to your requirements.
Best practices
Monitor unsecure database connections.
Audit database access rights.
Make sure that backups and snapshots are encrypted at rest.
Monitor database access.
Avoid unrestricted access groups.
Enhance your notifications with Amazon GuardDuty.
Monitor policy adherence regularly.
Epics
Task | Description | Skills required |
---|---|---|
Load a trusted certificate to your computer. | To add certificates to the Trusted Root Certification Authorities store for your computer, follow these steps. (These instructions use Window Server as a example.)
| DevOps engineer, Migration engineer, DBA |
Task | Description | Skills required |
---|---|---|
Create a parameter group and set the rds.force_ssl parameter. | If the PostgreSQL DB instance has a custom parameter group, edit the parameter group and change If the DB instance uses the default parameter group that doesn’t have To create a new parameter group:
To associate the parameter group with your PostgreSQL DB instance:
For more information, see the Amazon RDS documentation. | DevOps engineer, Migration engineer, DBA |
Force SSL connections. | Connect to the Amazon RDS for PostgreSQL DB instance. Connection attempts that don’t use SSL are rejected with an error message. For more information, see the Amazon RDS documentation. | DevOps engineer, Migration engineer, DBA |
Task | Description | Skills required |
---|---|---|
Install the SSL extension. |
For more information, see the Amazon RDS documentation. | DevOps engineer, Migration engineer, DBA |
Task | Description | Skills required |
---|---|---|
Configure a client for SSL. | By using SSL, you can start the PostgreSQL server with support for encrypted connections that use TLS protocols. The server listens for both standard and SSL connections on the same TCP port, and negotiates with any connecting client on whether to use SSL. By default, this is a client option. If you’re using the psql client:
For other PostgreSQL clients:
Review the following pages for these clients: | DevOps engineer, Migration engineer, DBA |
Troubleshooting
Issue | Solution |
---|---|
Cannot download the SSL certificate. | Check your connection to the website, and retry downloading the certificate to your local computer. |
Related resources
Using SSL with a PostgreSQL DB instance (Amazon RDS documentation)
Secure TCP/IP Connections with SSL
(PostgreSQL documentation) Using SSL
(JDBC documentation)