AWS RDS force SSL conection

Question

I have Postgres instance on AWS RDS, and I need to allow only connection via ssl and disable via non-ssl.

Aaccording to documentation I have done following steps:

1. Create custom parameter group and set rds.force_ssl to "1" value
2. Modyfy instance setings and select my custom parameters group
3. Edit inbounds and set only one rule with PostgreSQL, TCP 5432, 0.0.0.0/0
4. Restart instation.

The problem is, that I can still normally connect via any client like PG Admin without ssl connection succcesfully.

How to disable non-ssl connection?

Answer 1

When I leave deafult option in Pg admin for SSL mode it remains "allow". I can connect to server without any certificates. This is non-SSL connection. For SSL mode I should chnge SSL mode from "allow" to "require". Even it's possible, someone else can stil connect with "allow" option without certificate, whereas it should be disabled in that way.

From what I understand of your comment, your client uses the "allow" SSL mode, which means it will use SSL if the server requires it.

If you have completed the steps from the AWS doc on the server side, your client is actually connecting to your server using SSL. It is just not configured to verify the server's certificate, but your connection is encrypted. You are safe against network sniffing attacks.

You cannot force clients to verify the server's certificate, there is no way to do that on the server side. The same thing is true on the web with HTTPS: web servers cannot force web browsers to verify their certificates, but it just happens that all browsers are configured to do so by default (but they can add exceptions when a certificate verification error occurs...). This is made painless for the user because the browsers come with preconfigured trusted certificate authorities, which is not the case with pgAdmin (most db server certificates are self issued, there is no commonly-trusted certificate authorities for database servers).

But it doesn't mean your connection is not using SSL: it just means your clients could be vulnerable to a man in the middle attack (which is different from a sniffing attack: it relies on an attacker being able to reroute your traffic to himself, it's a lot more complicated to do than network sniffing). Protecting against MITM attacks can only be enforced on the client side, by activating the "verify-full" SSL mode and installing the server root certificate on the client machine.