AWS AmazonRDS high security documentation change
Summary
Updated SSL/TLS enforcement documentation to clarify version-specific defaults (enabled by default in Aurora PostgreSQL 17+) and added upgrade impact warning
Security assessment
The change explicitly documents that SSL/TLS enforcement is now default-enabled in newer versions, which directly impacts connection security. The warning about potential connectivity failures after major version upgrades indicates this could break non-SSL clients, making proper security configuration mandatory.
Diff
diff --git a/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.md b/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.md index 266d34b24..717770298 100644 --- a//AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.md +++ b//AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.md @@ -89 +89 @@ The following is an example of using psql to connect to an Aurora PostgreSQL DB -You can require that connections to your Aurora PostgreSQL DB cluster use SSL/TLS by using the `rds.force_ssl` parameter. By default, the `rds.force_ssl` parameter is set to 0 (off). You can set the `rds.force_ssl` parameter to 1 (on) to require SSL/TLS for connections to your DB cluster. Updating the `rds.force_ssl` parameter also sets the PostgreSQL `ssl` parameter to 1 (on) and modifies your DB cluster's `pg_hba.conf` file to support the new SSL/TLS configuration. +To require SSL/TLS connections to your Aurora PostgreSQL DB cluster, use `rds.force_ssl` parameter. @@ -91 +91,23 @@ You can require that connections to your Aurora PostgreSQL DB cluster use SSL/TL -You can set the `rds.force_ssl` parameter value by updating the DB cluster parameter group for your DB cluster. If the DB cluster parameter group isn't the default one, and the `ssl` parameter is already set to 1 when you set `rds.force_ssl` to 1, you don't need to reboot your DB cluster. Otherwise, you must reboot your DB cluster for the change to take effect. For more information on parameter groups, see [Parameter groups for Amazon Aurora](./USER_WorkingWithParamGroups.html). + * To require SSL/TLS connections, set the `rds.force_ssl` parameter value to 1 (on). + + * To turn off required SSL/TLS connections, set the `rds.force_ssl` parameter value to 0 (off). + + + + +The default value of this parameter depends on the Aurora PostgreSQL version: + + * For Aurora PostgreSQL versions 17 and later: The default value is 1 (on). + + * For Aurora PostgreSQL versions 16 and older: The default value is 0 (off). + + + + +###### Note + +When you perform a major version upgrade from Aurora PostgreSQL version 16 or earlier to version 17 or later, the default value of the parameter changes from 0 (off) to 1 (on). This change may cause connectivity failures for applications that are not configured for SSL. You can revert to the previous default behavior by setting this parameter to 0 (off). + +For more information on handling parameters, see [Parameter groups for Amazon Aurora](./USER_WorkingWithParamGroups.html). + +Updating the `rds.force_ssl` parameter also sets the PostgreSQL `ssl` parameter to 1 (on) and modifies your DB cluster's `pg_hba.conf` file to support the new SSL/TLS configuration.