AWS RDS Certificate Authority update - amazon-web-services

I recently received an email regarding a required update to my RDS Certificate Authority.
The instructions on the RDS side seems straight forward: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
However on step 4 there was an important message, "When you schedule this operation, make sure that you have updated your client-side trust store beforehand."
I cant seem to find any information about updating my server which connects to RDS for the CA update.
My Setup is EC2 instances on Beanstalk.
Does anyone know how/what I am supposed to do?
Thank you.
similar question: Update Amazon RDS SSL/TLS Certificates - Elastic Beanstalk

Basically, the installation of certification is only required when you use the SSL connection from your application to the RDS server. Regardless of the SSL connection, it is recommended to update the certificate of your server but it is not necessary when you did not use the SSL connection to the RDS.
Server-side Usage
When you use the SSL connection, you should change the certificate of the RDS server as soon as possible. Go to the RDS console, then you can find the Certificate update menu from the left menu list. Find your DB cluster, check and update your SSL right now or reserve the update for the next maintenance.
Client-side Usage
The details about the SSL certificate are noted in the documentation. From here, you can download the root CA certificate of rds 2019. The link is below.
https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
This CA certificate is used to connect the rds server, e.g.
mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com
--ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY
or add it to the Trusted Root CA for the client OS.
For example in Windows, you can run certmgr.msc and right-click the trusted root ca, import this certificate. In Mac, open keychain access and import this certificate. This is an option.

In order to change your CA Certificate on an Elastic Beanstalk environment by Amazon (AWS) do the following:
Log in to your console (https://console.aws.amazon.com/)
Click services and search for "RDS"
Inside RDS (RDS is where the databases from Beanstalk lives even though they are directly attached to the Beanstalk environment) click "Certificate Update" down in the right corner (there will be a very read notification on the link)
If you have any certificates to upgrade, they will show up here.
Click the RDS instance name (the weird aws name of the database server) aka "DB identifier"
(Well inside this you can see some more info about it under configuration), for instance your db username which could help you identify the instance if you have many and forgot to rename them.
Click Actions > Upgrade now (this will reboot your instance now) OR Actions > Upgrade at next window (choose this if you have a lot of traffic and many users, so it will be less disruptive ie not stop in the middle of the day but in the night according to the maintenance schedule of your location/server)
That's it. You do not need to install anything in your Beanstalk environment.

This is how we are managing SSL communication from Elastic Beanstalk to an external RDS PostgreSQL database. We add the following config file to .ebextensions (.ebextensions/rds.config):
commands:
01-create-folder:
command: mkdir -p /home/webapp/.postgresql
02-download-cert:
command: aws s3 cp s3://rds-downloads/rds-ca-2019-root.pem /home/webapp/.postgresql/root.crt
03-change-owner:
command: chown webapp:webapp /home/webapp/.postgresql/root.crt
04-change-mode:
command: chmod 400 /home/webapp/.postgresql/root.crt
The file downloads the certificate from the public S3 folder and places in the .postgresql folder as the root certificate. We are having a Java application and the JDBC driver successfully connects to RDS with SSL enabled.

Related

RDS SQL server TLS/SSL encrytion from application servers

Need to encrypt data in transit from application severs to RDS SQL server with SSL/TLS?
I see aws gives the option to make force encryption = true in parameter group with self signed certs.
Is there a way to use customer certs to import into RDS?
Any configuration steps to do this at application server and on RDS?
Appreciate any info on this . Didn't find anything in AWS knowledge base.
Note: Application servers sit behind load balancer.
For RDS SQL Server you will need to use the PEM that AWS provides for TLS.
You have a choice of either:
Root certificate
Intermediary and root certificate
The application server will need to have access to this certificate before it can connect to the RDS instance.
Unfortunately at this time only Aurora supports uploading your own certificates (and then accessing via ACM), you will need to use the provided one.
For connecting and configuring the RDS there is a specific Using SSL with a Microsoft SQL Server DB Instance page.

trying to find my ssl certificate I created on AWS Certificates

I setup my ec2 instance and got https working for a bit only to realize I need tls 1.2 on default and in order to do that I had to configure my code to instruct it to read my cert file in the code. Problem is I don't know which it is as there are 269 files in the directory /etc/ssl/certs. I have googled for a couple hours hoping something would tell me where to look to check what file amazon generated for me that it specifically wants. Otherwise im shooting in the dark trying pems one at a time.
secureProtocol: 'TLSv1_2_server_method',
pfx: fs.readFileSync("/etc/ssl/certs/FILENAME.PEM")
}, app).listen(443);
Help is greatly appreciated.
Please refer EC2 instance details in AWS management console.
Steps:
Login to AWS management console and goto EC2 -> Instances.
Select the instance to which we need to connect and scroll the
description which is present in bottom window which will have EC2
instance details.
Check for "Key pair name" , this will be the key pair which needs
to be used to securely connect to respective EC2 instance.
I assume that you got a certificate on Amazon ACM.
ACM Certificates can be used in,
Elastic Load Balancing
Amazon CloudFront
Amazon API Gateway
AWS Elastic Beanstalk
AWS CloudFormation(for email validation only)
The certificate issued by ACM cannot be installed directly on an EC2 instance.
If you want to install an SSL certificate directly on your EC2 instance, you will need to obtain a SSL certificate through a third-party
Therefore, you cannot find any files related to the certificate issued by ACM inside your EC2 instance.
hope this helps.

Update AWS RDS SSL/TLS Certificate from rds-ca-2015 to rds-ca-2019

We Have recently updated the SSL for AWS rds from rds-ca-2015 to rds-ca-2019. Now application working and connected with SSL, but we couldn't able confirm the rds now using rds-ca-2019. Anyone, please update, how to confirm AWS RDS SSL using rds-ca-2019? Below the steps, we followed to renew the SSL.
1. Download the PEM file from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
2. mysql -h testdb.xxxxxxxxxx.eu-central-1.rds.amazonaws.com --ssl-ca rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY -u username -p
3. In AWs console, In the Network & Security section, changed from rds-ca-2015 to rds-ca-2019, Rebooted.
Maybe you can find an answer here by checking which Mysql user is using ssl for connection and how to check ca in rds and steps to update ca 2019 in rds.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/ssl-certificate-rotation-mysql.html
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
In order to check the certificate authority currently used by your RDS instance, you can follow the steps below.
Navigate to the RDS service from the AWS console.
Click on Databases in the navigation panel on the left side.
Click on the RDS instance that you need to check.
The Certificate authority listed in the Connectivity & security tab shows the certificate authority currently used by the RDS instance.

AWS Data Pipeline Cannot Connect with RDS Mysql (connection time out)

I am stuck on making a AWS Data Pipeline which takes data from RDS Mysql to s3.
I ahve tried Template but failed alot. Then I made this self configured pipeline but still no success. Can anyone point out the problem by seeing the architect?
Here are the RDS MySQL Details -> NOTE <- that username in picture is different because I am using a separate user and the username in picture is administrator
This is the Data Pile Line Architect
Below are the settings of first block i.e Configuration
Below are the settings of RDS MySQL DataBase
Below are settings of EC2 Machine
Below are the Settings of SQL Data node - which i guess gets data from RDS
Below are the Settings of Copy Activity
Below are the settings of S3 Data Node - which i guess puts data on S3
Here is the ERROR LOG
I read that it could be an error due to VPC (Virtual Private Cloud) permissions but I am not sure how to add these settings as the server is a Production Server and I am afraid to perform this test. Can any one provide a solid solution please?
As previously mentioned, your ec2 instance is not able to contact the Database endpoint. Please use the link to configure the security groups correctly http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.Scenarios.html
To test this, spin up a ec2 instance in the subnet and telnet to the database endpoint to ensure the connection is fine. You can then resume the activation of your pipeline.
Commands
sudo yum install telnet
telnet hostname port

Transitioning from Amazon AWS to a different Hosting provider

This task fell on my lap and I have no experience with Amazon aws. We run a simple informational site along with redmine (as a subdomain) using amazon aws and want to switch to simple helix. I have researched how to switch providers and I haven't found any posts that show how to do this step by step. Is there a simple way to move from Amazon aws to another provider? I think it would be best to create a duplicate of what we have on amazon aws on the simple helix server before totally dropping amazon aws. As far as I know I only have log in details to EC2 Console, no ssh log in details or FTP for amazon aws.
When an AWS instance is launched a public/private key pair is specified and installed in the running instance. You can find the name of the key-pair by looking at details of the instance in the console. Check for "Key pair name".
Hopefully, you'll have the private key of that pair somewhere at hand. If it's lost I'm not sure how to recover it without tech support from Amazon.
If you have the private key then ssh is simple, just type:
ssh -i my.private.key -l ubuntu servername
or something similar and you're in.
FTP access might require opening up a port in the firewall. Look at the security group settings for the server to see what ports are open. Secure ftp is available if you can ssh into the machine using the same private key.