Ensure RDS SSL/TLS Certificates Are Not Expired

Overview

This check verifies that SSL/TLS certificates on your Amazon RDS database instances are valid and not approaching expiration. Certificates are used to encrypt connections between your applications and databases.

Risk

Expired or expiring SSL/TLS certificates can cause:

• Application outages: TLS failures block database connections, making your application unavailable
• Security vulnerabilities: Expired certificates can enable man-in-the-middle attacks, compromising data confidentiality and integrity
• Emergency maintenance: Rushed certificate changes during outages increase the risk of errors

Severity: High

Remediation Steps

Prerequisites

You need permission to modify RDS instances in your AWS account. Specifically, you need the rds:ModifyDBInstance permission.

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:DescribeCertificates",
        "rds:ModifyDBInstance"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to RDS (search for "RDS" in the search bar)
3. In the left sidebar, click Databases
4. Select the affected database instance by clicking its name
5. Click the Modify button in the top right
6. Scroll down to the Connectivity section
7. Find Certificate authority and select rds-ca-rsa2048-g1 from the dropdown
8. Scroll to the bottom and click Continue
9. Under Schedule modifications, select Apply immediately if you want the change now (note: this may cause a brief interruption)
10. Click Modify DB instance

Important: Some database engines require a restart for the certificate change to take effect. The console will indicate if a restart is needed.

AWS CLI (optional)

Update the Certificate Authority

Run this command to update the CA certificate on your RDS instance:

aws rds modify-db-instance \
  --region us-east-1 \
  --db-instance-identifier <your-db-instance-id> \
  --ca-certificate-identifier rds-ca-rsa2048-g1 \
  --apply-immediately

Replace <your-db-instance-id> with your actual database instance identifier.

Check Available Certificates

To see all available CA certificates in your region:

aws rds describe-certificates \
  --region us-east-1 \
  --query "Certificates[*].[CertificateIdentifier,ValidTill]" \
  --output table

Check Current Certificate on an Instance

To see which certificate your instance is currently using:

aws rds describe-db-instances \
  --region us-east-1 \
  --db-instance-identifier <your-db-instance-id> \
  --query "DBInstances[0].[DBInstanceIdentifier,CACertificateIdentifier]" \
  --output table

Force a Restart (if required)

If your database engine requires a restart for the certificate change, use:

aws rds modify-db-instance \
  --region us-east-1 \
  --db-instance-identifier <your-db-instance-id> \
  --ca-certificate-identifier rds-ca-rsa2048-g1 \
  --certificate-rotation-restart \
  --apply-immediately

CloudFormation (optional)

To set the CA certificate in a CloudFormation template, use the CACertificateIdentifier property:

AWSTemplateFormatVersion: '2010-09-09'
Description: RDS instance with updated CA certificate

Parameters:
  DBInstanceIdentifier:
    Type: String
    Description: The identifier of the RDS DB instance
  DBInstanceClass:
    Type: String
    Default: db.t3.micro
    Description: The compute and memory capacity of the DB instance
  Engine:
    Type: String
    Default: mysql
    Description: The database engine
  MasterUsername:
    Type: String
    Description: The master username for the database

Resources:
  RDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      DBInstanceClass: !Ref DBInstanceClass
      Engine: !Ref Engine
      MasterUsername: !Ref MasterUsername
      ManageMasterUserPassword: true
      CACertificateIdentifier: rds-ca-rsa2048-g1
      AllocatedStorage: '20'

Note: For existing instances, updating the CACertificateIdentifier in the stack will trigger a modification. Test in a non-production environment first.

Terraform (optional)

To set the CA certificate in Terraform, use the ca_cert_identifier argument:

resource "aws_db_instance" "example" {
  identifier           = "my-rds-instance"
  allocated_storage    = 20
  engine               = "mysql"
  engine_version       = "8.0"
  instance_class       = "db.t3.micro"
  username             = "admin"
  manage_master_user_password = true
  ca_cert_identifier   = "rds-ca-rsa2048-g1"
  skip_final_snapshot  = true
}

For existing instances, add or update the ca_cert_identifier attribute and run:

terraform plan   # Review the changes
terraform apply  # Apply the changes

Verification

After updating the certificate, verify the change was applied:

1. In the AWS Console, go to RDS > Databases
2. Select your database instance
3. Under the Configuration tab, look for Certificate authority
4. Confirm it shows rds-ca-rsa2048-g1 (or your chosen certificate)

CLI verification commands

# Check the current certificate on your instance
aws rds describe-db-instances \
  --region us-east-1 \
  --db-instance-identifier <your-db-instance-id> \
  --query "DBInstances[0].CACertificateIdentifier" \
  --output text

Expected output: rds-ca-rsa2048-g1

# Check the certificate expiration date
aws rds describe-certificates \
  --region us-east-1 \
  --certificate-identifier rds-ca-rsa2048-g1 \
  --query "Certificates[0].ValidTill" \
  --output text

Additional Resources

• Using SSL/TLS to encrypt a connection to a DB instance
• Rotating your SSL/TLS certificate
• AWS RDS Certificate Authority Identifiers

Notes

• Application updates may be required: After rotating the RDS certificate, you may need to update the CA certificate bundle in your application's trust store. Download the latest RDS CA bundle from Amazon's certificate page.

• Plan for brief interruption: Some database engines require a restart when the certificate is changed. Schedule this during a maintenance window if possible.

• Test first: Before updating production databases, test the certificate rotation in a development or staging environment to ensure your applications handle the change correctly.

• Certificate lifecycle: The rds-ca-rsa2048-g1 certificate is valid until 2061. However, AWS periodically introduces new CA certificates. Monitor AWS announcements and plan certificate rotations proactively.

• Multi-AZ deployments: For Multi-AZ instances, the certificate change is applied to both the primary and standby instances. A failover may occur during the update.