RDS (MySQL) over SSL
The AWS-service RDS (Relational Database Service) offers fully managed relational databases as a service. The database-types can be MySQL, PostgreSQL, MariaDB, Oracle, Mircosoft SQL-Server or Amazon Aurora. In case you never heard of Amazon Aurora, it’s a database with MySQL under the hood with lots of improvements concerning performance, scalability and failover-concepts.
Unfortunately, Amazon Aurora isn’t available in my home region (eu-central-1 / Frankfurt, Germany), yet. Therefore, we’re using MySQL over a SSL-encrypted connection.
Check if SSL is SSL enable on the server
In case you want to check if your MySQL-server supports SSL-encrypted connections, connect to the database and issue the command show variables like ‘%ssl’;.
Your output should tell you now have_openssl=YES and have_ssl=YES.
Before we can connect to our MySQL-instance via SSL, a SSL-pem bundle is needed. The bundle needs to contain the region’s specific intermediate, as well as the root-ca’s certificate. To help you with getting the needed certificate-bundle, I wrote a small Bash-script. It takes only one parameter, which is the region.
Note: in this example, we will create a certificate-bundle for the region eu-central-1. Therefore, the output-filename will be rds-ca-2015-eu-central-1-bundle.pem.
Connect via SSL
You can test your connection to the MySQL-database without SSL the following way. You should already have access to the database. In case you can’t establish a connection, please check your configuration upfront.
Note: the username for this example here is db_root and the database-name is db_name. You need to adjust that to your own RDS-setup upfront.
If everything is working as expected, you get the following output in your mysql-client.
As we want to connect via a SSL-encrypted connection, use the following command for connecting.
If you’re getting the same output in your mysql-client as before, you are successfully connected to your MySQL-database. To also check if your connection is encrypted, have a look at your status-output.
In the SSL-variable from the output, you should now depending on your SSL-cipher see anything different to SSL: Not in use.
When designing new services, AWS always has a strict and sensible security-concept in mind, which is a good way of improving overall application-security. However, for RDS (MySQL), AWS decided for the default-configuration to only enable SSL-encrypted connections, but is not enforcing its usage.
In order to enforce SSL-encrypted connections, connect to your database in an ordinary manner and issue the follwing command. Afterwards connections to the database for the specified user need to be over an SSL-encrypted connection.
Note: the username for this example here is db_root. You need to adjust that username to your RDS-setup.
Keep your current connection to the database open and check it with a second session! If anything goes wrong, you then can still revert your changes.