Reputation: 600
ssl connection to RDS from application deployed to EKS in the same region
I have an application which is deployed in EKS in us-east-1 and in same region I am having aurora mysql RDS cluster. How can I establish ssl to aurora db instance from the application deployed in EKS in the same region ?
Upvotes: 3
Views: 1640
Answers (1)
Reputation: 600
Download certificate bundle that contains both the intermediate and root certificates for an AWS Region from https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html
After downloading the certificate it can be converted from .pem to .der using openssl tool as follows:
openssl x509 -outform der -in C:\Users\c62540a\us-east-1-bundle.pem -out auroradb_root.derOpenSSL is an open-source command line tool that is commonly used to generate private keys, create CSRs, install your SSL/TLS certificate, and identify certificate information.
This tool is available in git at following path in windows:
C:\Program Files\Git\usr\binAfter downloading the certificate bundle we need to import it to either the cacerts or to the custom trust store using keytool following command :
keytool -importcert -file C:\Users\c62540a\us-east-1-bundle.pem - keystore trust.jks -alias aws-auroradb-root -storepass storepass
Then the certificate will be added to the trust store named trust.jks with trust store password as specified in keytool command to import certificate bundle to the trust store. The above command will create the trust store named trust.jks if not present and import the certificate bundle into that.
- You require that all user connections to your Aurora MySQL DB cluster use SSL/TLS by using the require_secure_transport DB cluster parameter. By default, the require_secure_transport parameter is set to OFF. You can set the require_secure_transport parameter to ON to require SSL/TLS for connections to your DB cluster.
You can set the require_secure_transport parameter value by updating the DB cluster parameter group for your DB cluster. You don't need to reboot your DB cluster for the change to take effect. The require_secure_transport parameter is only available for Aurora MySQL version 5.7. You can set this parameter in a custom DB cluster parameter group. The parameter isn't available in DB instance parameter groups.
- You can require SSL/TLS connections for specific users accounts. For example, you can use one of the following statements, depending on your MySQL version, to require SSL/TLS connections on the user account encrypted_user.
For MySQL 5.7 and later:
ALTER USER 'encrypted_user'@'%' REQUIRE SSL;
For MySQL 5.6 and earlier:
GRANT USAGE ON *.* TO 'encrypted_user'@'%' REQUIRE SSL;
Just enable SSL in the SQL client and then it will be connected to the db instance.
Same trust store can be created as a environment variable and defined as a secret in EKS
We need to point to trust store where it is configured from our application ..
System.setProperty("javax.net.ssl.trustStore", certs); System.setProperty("javax.net.ssl.trustStorePassword", "password");
And if you are using JDBC then use below properties for jdbc connection and sslmode :
Properties properties = new Properties();
properties.setProperty("sslMode", "VERIFY_IDENTITY");
properties.put("user", DB_USER);
properties.put("password", DB_PASSWORD);
Upvotes: 0
Related Questions
- How to make sure my .NET Core service running in EKS can find the https port?
- Enforce Oracle RDS to use only SSL
- Is there a way to configure an EKS service to use HTTPS?
- SSL configuration for ingress in aws EKS
- How to connect AWS RDS to AWS EKS?
- How to connect to AWS RDS (mysql) from EKS pods
- AWS EKS node to access RDS
- RDS SQL server TLS/SSL encrytion from application servers
- Make application running in ECS accessible to the world on https
- eks http https redirect using ingress