AWS Security ChangesHomeSearch

AWS AmazonRDS high security documentation change

Service: AmazonRDS · 2025-05-03 · Security-related high

File: AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.md

Summary

Updated SSL/TLS enforcement documentation to clarify version-specific defaults (enabled by default in Aurora PostgreSQL 17+) and added upgrade impact warning

Security assessment

The change explicitly documents that SSL/TLS enforcement is now default-enabled in newer versions, which directly impacts connection security. The warning about potential connectivity failures after major version upgrades indicates this could break non-SSL clients, making proper security configuration mandatory.

Diff

diff --git a/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.md b/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.md
index 266d34b24..717770298 100644
--- a//AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.md
+++ b//AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.md
@@ -89 +89 @@ The following is an example of using psql to connect to an Aurora PostgreSQL DB
-You can require that connections to your Aurora PostgreSQL DB cluster use SSL/TLS by using the `rds.force_ssl` parameter. By default, the `rds.force_ssl` parameter is set to 0 (off). You can set the `rds.force_ssl` parameter to 1 (on) to require SSL/TLS for connections to your DB cluster. Updating the `rds.force_ssl` parameter also sets the PostgreSQL `ssl` parameter to 1 (on) and modifies your DB cluster's `pg_hba.conf` file to support the new SSL/TLS configuration.
+To require SSL/TLS connections to your Aurora PostgreSQL DB cluster, use `rds.force_ssl` parameter.
@@ -91 +91,23 @@ You can require that connections to your Aurora PostgreSQL DB cluster use SSL/TL
-You can set the `rds.force_ssl` parameter value by updating the DB cluster parameter group for your DB cluster. If the DB cluster parameter group isn't the default one, and the `ssl` parameter is already set to 1 when you set `rds.force_ssl` to 1, you don't need to reboot your DB cluster. Otherwise, you must reboot your DB cluster for the change to take effect. For more information on parameter groups, see [Parameter groups for Amazon Aurora](./USER_WorkingWithParamGroups.html).
+  * To require SSL/TLS connections, set the `rds.force_ssl` parameter value to 1 (on).
+
+  * To turn off required SSL/TLS connections, set the `rds.force_ssl` parameter value to 0 (off).
+
+
+
+
+The default value of this parameter depends on the Aurora PostgreSQL version:
+
+  * For Aurora PostgreSQL versions 17 and later: The default value is 1 (on).
+
+  * For Aurora PostgreSQL versions 16 and older: The default value is 0 (off).
+
+
+
+
+###### Note
+
+When you perform a major version upgrade from Aurora PostgreSQL version 16 or earlier to version 17 or later, the default value of the parameter changes from 0 (off) to 1 (on). This change may cause connectivity failures for applications that are not configured for SSL. You can revert to the previous default behavior by setting this parameter to 0 (off).
+
+For more information on handling parameters, see [Parameter groups for Amazon Aurora](./USER_WorkingWithParamGroups.html).
+
+Updating the `rds.force_ssl` parameter also sets the PostgreSQL `ssl` parameter to 1 (on) and modifies your DB cluster's `pg_hba.conf` file to support the new SSL/TLS configuration.