AWS AmazonRDS high security documentation change
Summary
Updated SSL cipher suite documentation with explicit allowlists and version-specific configuration details.
Security assessment
The change provides critical security guidance about allowed encryption ciphers for PostgreSQL TLS connections, directly impacting data-in-transit security configurations.
Diff
diff --git a/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.md b/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.md index 2fbae267e..4e6cf2192 100644 --- a//AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.md +++ b//AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.md @@ -145,14 +145 @@ To learn more about the `sslmode` option, see [Database connection control funct -The PostgreSQL configuration parameter [ssl_ciphers](https://www.postgresql.org/docs/current/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SSL) specifies the categories of cipher suites that are allowed for SSL connections to the database when using TLS 1.2 and lower. The following table lists the default cipher suites used in RDS for PostgreSQL. - -PostgreSQL engine version | Cipher suites ----|--- -17 | `HIGH:!aNULL:!3DES` -16 | `HIGH:!aNULL:!3DES` -15 | `HIGH:!aNULL:!3DES` -14 | `HIGH:!aNULL:!3DES` -13 | `HIGH:!aNULL:!3DES` -12 | `HIGH:!aNULL:!3DES` -11.4 and higher minor versions | `HIGH:MEDIUM:+3DES:!aNULL:!RC4` -11.1, 11.2 | `HIGH:MEDIUM:+3DES:!aNULL` -10.9 and higher minor versions | `HIGH:MEDIUM:+3DES:!aNULL:!RC4` -10.7 and lower minor versions | `HIGH:MEDIUM:+3DES:!aNULL` +The PostgreSQL configuration parameter [ssl_ciphers](https://www.postgresql.org/docs/current/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SSL) specifies the categories of cipher suites that are allowed for SSL connections to the database when using TLS 1.2 and lower. @@ -165 +152,16 @@ In RDS for PostgreSQL 16 and later, you can modify the `ssl_ciphers` parameter t -To configure all instance connections to use the `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` cipher suite, modify your parameter group as shown in the following example:: +The following table lists both the default cipher suites and the allowed cipher suites for versions that support custom configurations. + +PostgreSQL engine version | Default ssl_cipher suite values | Allowlisted custom ssl_cipher suite values +---|---|--- +17 | `HIGH:!aNULL:!3DES` | `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` +16 | `HIGH:!aNULL:!3DES` | `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` +15 | `HIGH:!aNULL:!3DES` | Custom ssl_ciphers isn't supported +14 | `HIGH:!aNULL:!3DES` | Custom ssl_ciphers isn't supported +13 | `HIGH:!aNULL:!3DES` | Custom ssl_ciphers isn't supported +12 | `HIGH:!aNULL:!3DES` | Custom ssl_ciphers isn't supported +11.4 and higher minor versions | `HIGH:MEDIUM:+3DES:!aNULL:!RC4` | Custom ssl_ciphers isn't supported +11.1, 11.2 | `HIGH:MEDIUM:+3DES:!aNULL` | Custom ssl_ciphers isn't supported +10.9 and higher minor versions | `HIGH:MEDIUM:+3DES:!aNULL:!RC4` | Custom ssl_ciphers isn't supported +10.7 and lower minor versions | `HIGH:MEDIUM:+3DES:!aNULL` | Custom ssl_ciphers isn't supported + +To configure all instance connections to use the `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` cipher suite, modify your parameter group as shown in the following example: