Securing SQL Server Connections for Amazon RDS

Protecting Against Man-in-the-Middle Attacks on Amazon RDS SQL Server

Question

A user is connecting to a SQL Server on the Amazon RDS database.

How should the user configure the connection parameters so that the client connection is protected against man-in-the-middle attack?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer: D.

Option A is incorrect because -ssl_mode parameter is used for client connection to MySQL databases using MySQL client.

Option B is incorrect because-ssl_mode parameter is used for client connection to MySQL databases using MySQL client.

Option C is incorrect because if the trustServerCertificate property is set to true, the client will skip validation of the server TLS certificate.

Option D is CORRECT because setting the trustServerCertificate property to false ensures that the client will validate the TLS certificate and confirm that the server is the correct server to connect to.

Option D is incorrect because these parameters are used when connecting to an Oracle database.

Reference:

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/ssl-certificate-rotation-sqlserver.html https://docs.microsoft.com/en-us/sql/connect/jdbc/connecting-with-ssl-encryption?view=sql-server-ver15

The correct answer for this question is B. --ssl-ca=/home/myuser/rds-combined-ca-bundle.pem --ssl-mode=verify-full.

Explanation:

When connecting to a SQL Server on Amazon RDS database, a user must configure the connection parameters to ensure that the client connection is protected against man-in-the-middle attacks. Man-in-the-middle attack is a type of cyber attack where the attacker intercepts communication between two parties and modifies or steals the data being transmitted.

To protect against man-in-the-middle attacks, the user should configure the SSL (Secure Sockets Layer) encryption for the client connection. SSL is a protocol that provides secure communication over the internet. It uses encryption to protect data transmitted between the client and server from eavesdropping, tampering, and forgery.

Amazon RDS provides SSL support for client connections. To configure the SSL encryption, the user must provide the following connection parameters:

--ssl-ca: The path to the SSL CA (Certificate Authority) certificate bundle file. This file contains the public keys of the trusted Certificate Authorities that can sign the SSL certificates used by the server.

--ssl-mode: The SSL mode to use for the connection. This parameter specifies how the SSL encryption should be enforced. There are three SSL modes:

  • require: The connection must use SSL encryption. If the server does not support SSL encryption, the connection will fail.
  • verify-ca: The connection must use SSL encryption, and the server's SSL certificate must be verified against the CA certificate bundle. If the server's SSL certificate is not signed by a trusted CA, the connection will fail.
  • verify-full: The connection must use SSL encryption, and the server's SSL certificate must be verified against the CA certificate bundle. In addition, the hostname in the server's SSL certificate must match the hostname in the connection string. If the server's SSL certificate is not signed by a trusted CA or the hostname does not match, the connection will fail.

Option A uses the --ssl-mode=require parameter which means that the connection must use SSL encryption, but it does not verify the server's SSL certificate against the CA certificate bundle. Therefore, it is vulnerable to man-in-the-middle attacks.

Option C uses the encrypt=true;trustServerCertificate=true parameter which does not provide SSL encryption. Instead, it uses the self-signed certificate installed on the server and trusts it without verifying it against the CA certificate bundle. This option is vulnerable to man-in-the-middle attacks.

Option D uses the encrypt=true;trustServerCertificate=false parameter which does not provide SSL encryption and does not trust the server's self-signed certificate. Therefore, it is not a valid option for protecting against man-in-the-middle attacks.

Option E is not a valid option for configuring SSL encryption for client connections to a SQL Server on Amazon RDS database.

In conclusion, the correct answer for this question is B. --ssl-ca=/home/myuser/rds-combined-ca-bundle.pem --ssl-mode=verify-full. This option provides SSL encryption and verifies the server's SSL certificate against the CA certificate bundle and the hostname in the connection string. It is the most secure option for protecting against man-in-the-middle attacks.