Risk Level: MEDIUM
Description:
This plugin enables Transport Encryption for RDS SQL Server instances. To handle encryption and decryption, the RDS instance's parameter group should have transport encryption enabled.
Recommended Action: Update the parameter group associated with the RDS instance to have rds.force_ssl set to true.
About the Service :
Amazon RDS (Amazon Relational Database Service) makes it simple to set up, run, and scale a relational database in the cloud. It offers scalable capacity at a low cost while automating time-consuming administrative activities including hardware provisioning, database setup, patching, and backups.
Impact:
All connections to Amazon RDS SQL Server and PostgreSQL instances that process, store, or transmit PHI (Protected Health Information) must employ the RDS Transport Encryption feature, which essentially turns on the force SSL setting.
Steps to reproduce :
- Sign in to your AWS management console.
- Navigate to the RDS dashboard at: https://console.aws.amazon.com/rds/
- On the left navigation panel, under RDS Dashboard, select Databases.
- Select the RDS instance that you want to examine.
- Under the Configuration panel, in the Instance panel, check the value of Parameter Group, and copy its value.
- In the Amazon RDS navigation panel, click on Parameter Groups.
- Search for the copied value in step 5, and open it.
- On the page of the selected parameter that opens, search for the rds.force_ssl parameter.
- If the current value of this parameter is set to 0, the Transport Encryption feature is not enabled for the selected AWS RDS database instance.
- Repeat steps no. 4 – 10 for each RDS instance provisioned in the current region as well as in other AWS regions.
Steps for remediation :
- Sign in to your AWS management console.
- Navigate to the RDS dashboard at: https://console.aws.amazon.com/rds/
- On the left navigation panel, under RDS Dashboard, select Databases.
- Copy the value of Parameter Group of required database instance as done in the Audit section.
- In the Amazon RDS navigation panel, click on Parameter Groups and search for the copied parameter group value.
- On the Parameter listing page, enter rds.force_ssl parameter name in the Filter parameters search box and press Enter.
- Select the returned parameter then click the Edit parameters button.
- Change the value of the parameter from 0 to 1 and click on Save Changes.
- Once this value is changed and set to 1, go back to database instances and open the same instance.
- On the instance page that opens, click on Actions, and select Reboot.
- Provide rebooting confirmation.
- Repeat steps no. 4 – 11 for each SQL Server and PostgreSQL database instance that doesn't have Transport Encryption feature enabled, available in the current region as well as in other AWS regions.
References: