AWS AmazonRDS high security documentation change
Summary
Added documentation about configuring SSL cipher suites for PostgreSQL 16+, including TLS version requirements and CLI examples for cipher management. Clarified TLS 1.3 incompatibility with custom cipher configurations.
Security assessment
The changes explicitly document security-related configurations for SSL/TLS cipher suites and protocol versions. Instructions for enforcing TLS 1.2 and cipher restrictions directly address secure communication practices. The addition of rds.force_ssl=1 recommendation strengthens encryption requirements.
Diff
diff --git a/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.md b/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.md index d067ad4f2..2fbae267e 100644 --- a/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.md +++ b/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.md @@ -145 +145 @@ To learn more about the `sslmode` option, see [Database connection control funct -The PostgreSQL configuration parameter [ssl_ciphers](https://www.postgresql.org/docs/current/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SSL) specifies the categories of cipher suites that are allowed for SSL connections. The following table lists the default cipher suites used in RDS for PostgreSQL. +The PostgreSQL configuration parameter [ssl_ciphers](https://www.postgresql.org/docs/current/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SSL) specifies the categories of cipher suites that are allowed for SSL connections to the database when using TLS 1.2 and lower. The following table lists the default cipher suites used in RDS for PostgreSQL. @@ -159,0 +160,30 @@ PostgreSQL engine version | Cipher suites +In RDS for PostgreSQL 16 and later, you can modify the `ssl_ciphers` parameter to use specific values from the allowlisted cipher suites. This is a dynamic parameter that doesn't require a database instance reboot. To view the allowlisted cipher suites, use either the Amazon RDS console or the following AWS CLI command: + + + aws rds describe-db-parameters --db-parameter-group-name <your-parameter-group> --region <region> --endpoint-url <endpoint-url> --output json | jq '.Parameters[] | select(.ParameterName == "ssl_ciphers")' + +To configure all instance connections to use the `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` cipher suite, modify your parameter group as shown in the following example:: + + + aws rds modify-db-parameter-group --db-parameter-group-name <your-parameter-group> --parameters "ParameterName='ssl_ciphers',ParameterValue='TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',ApplyMethod=immediate" + +This example uses an ECDSA cipher, which requires your instance to use a certificate authority with elliptic curve cryptography (ECC) to establish a connection. For information about certificate authorities provided by Amazon RDS, see [Certificate authorities](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/singWithRDS.SSL.html#UsingWithRDS.SSL.RegionCertificateAuthorities). + +You can verify the ciphers in use through the methods described in [Determining the SSL connection status](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Status). + +Ciphers may have different names depending on the context: + + * The allowlisted ciphers that you can configure in your parameter group are referred to with their IANA names. + + * The `sslinfo` and `psql` logon banner refer to ciphers using their OpenSSL names. + + + + +By default, the value of `ssl_max_protocol_version` in RDS for PostgreSQL 16 and later is TLS v1.3. You must set the value of this parameter to TLS v1.2 as TLS v1.3 doesn't use the cipher configurations specified in the `ssl_ciphers` parameter. When you set the value as TLS v1.2, connections use only the ciphers that you define in `ssl_ciphers`. + + + aws rds modify-db-parameter-group --db-parameter-group-name <your-parameter-group> --parameters "ParameterName='ssl_max_protocol_version',ParameterValue='TLSv1.2',ApplyMethod=immediate" + +To ensure database connections use SSL, set the `rds.force_ssl parameter` to 1 in your parameter group. For more information about parameters and parameter groups, see [Parameter groups for Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html). +