Encrypting Traffic for AWS RDS Instances: Best Practices | Exam Prep

Encrypting Traffic for AWS RDS Instances

Q: Your company is planning to host a set of databases using the AWS RDS service.The IT security department has mandated that all traffic is encrypted in transit.How can you achieve this with a database instance created with the AWS RDS service? Choose 2 answers from the options given below.

Use the SSL certificates provided by the AWS RDS service.Set the Parameter Group for the RDS Instance.

Prev Question Next Question

Question

Your company is planning to host a set of databases using the AWS RDS service.

The IT security department has mandated that all traffic is encrypted in transit.

How can you achieve this with a database instance created with the AWS RDS service? Choose 2 answers from the options given below.

Answers

A. Use the SSL certificates provided by the AWS RDS service.

B. Set the Parameter Group for the RDS Instance.

C. Use the .pem keys files that come for the underlying server.

D. Use the KMS service to encrypt the traffic.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answers: A and B.

This is given in the AWS Documentation.

An example of the Microsoft SQL server is given below.

Option C is incorrect since you don't have access to the underlying server.

Option D is incorrect since the KMS service can't be used to encrypt the traffic.

For more information on this example, please refer to the below URL-

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Concepts.General.SSL.Using.html

Using SSL with a Microsoft SQL Server DB Instance

You can use Secure Sockets Layer (SSL) to encrypt connections between your client applications and your Amazon RDS DB
instances running Microsoft SQL Server. SSL support is available in all AWS regions for all supported SQL Server editions.

When you create a SQL Server DB instance, Amazon RDS creates an SSL certificate for it. The SSL certificate includes the DB
instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks.

There are 2 ways to use SSL to connect to your SQL Server DB instance:

¢ Force SSL for all connections — this happens transparently to the client, and the client doesn't have to do any work to use
SSL.

* Encrypt specific connections — this sets up an SSL connection from a specific client computer, and you must do work on the
client to encrypt connections.

Forcing Connections to Your DB Instance to Use SSL

You can force all connections to your DB instance to use SSL. If you force connections to use SSL, it happens transparently to the
client, and the client doesn't have to do any work to use SSL.

If you want to force SSL, use the rds. force_ss1 parameter. By default, the rds. force_ss1 parameter is set to false. Set the
rds.force_ss1 parameter to true to force connections to use SSL. The rds. force_ssl parameter is static, so after you change
the value, you must reboot your DB instance for the change to take effect.

To achieve encryption of traffic in transit for a database instance created with the AWS RDS service, there are two possible solutions. These solutions are:

A. Use the SSL certificates provided by the AWS RDS service: One of the methods to enable encryption in transit for an RDS instance is to use SSL certificates provided by the AWS RDS service. This method works by creating an SSL certificate in the Amazon RDS and enabling SSL for the database instance. This can be done using the AWS Management Console, AWS CLI, or the Amazon RDS API. By enabling SSL, the client establishes a secure connection to the RDS instance using the SSL certificate.

B. Use the KMS service to encrypt the traffic: Another method to encrypt traffic in transit is to use the Key Management Service (KMS) in AWS. This method works by encrypting the data at the application level before it is transmitted to the RDS instance. This can be done by using the AWS SDK or an encryption library that supports AWS KMS. By encrypting data at the application level, the data remains encrypted until it reaches the RDS instance, even if the network connection is compromised.

C. and D. are incorrect answers: C. Using .pem keys files that come for the underlying server is not a method for encrypting traffic in transit for an RDS instance. This method is used to authenticate and establish a secure connection between a client and a Linux-based server.

D. Using the Parameter Group for the RDS Instance is not a method for encrypting traffic in transit for an RDS instance. The Parameter Group is used to configure the RDS instance's database engine and related settings. It does not provide a way to encrypt traffic in transit.

Prev Question Next Question