chanciturnervgt2

Secure Your Database Connection with SSL Encryption for Amazon RDS Custom for SQL Server

by

VGT2 Las Vegas
in

Secure Your Database Connection with SSL Encryption for Amazon RDS Custom for SQL ServerLearn About Amazon VGT2 Learning Manager Chanci Turner

Amazon Relational Database Service (RDS) Custom for SQL Server provides a managed database option for applications that necessitate operating system access and database adjustments not found in the standard Amazon RDS for SQL Server. One critical aspect of securing your application is ensuring your connection to RDS Custom is encrypted. By utilizing Secure Socket Layer (SSL) and Transport Layer Security (TLS) certificates, network encryption safeguards data in transit, securing the communication channels between your client applications and the RDS Custom instance.

In this article, we will guide you through configuring SSL/TLS encryption for RDS Custom for SQL Server, utilizing a self-managed certificate. We will also explain how to optionally enable Kerberos authentication alongside SSL/TLS encryption. The example will feature a certificate issued by an internal Certificate Authority (CA).

Solution Overview

For this implementation, we will employ State Manager, a feature of AWS Systems Manager, to facilitate the automation of SSL encryption on an RDS Custom instance. The automation process includes the following steps:

  1. Create an RDS Custom instance with a designated tag (RDSCertSSL: do-not-delete-rds-custom-).
  2. As part of the creation process, the RDS Custom instance registers with Systems Manager.
  3. State Manager is set up to execute a Systems Manager command document (aws:runPowerShellScript) on instances matching the specified tag.
  4. During command execution, the necessary secrets for certificate import and the SSL certificate itself are retrieved from AWS Secrets Manager and Amazon S3, respectively.
  5. The RDS Custom instance is configured to utilize SSL encryption.
  6. Optionally, the RDS Custom instance can be added to the domain and restarted to enable Kerberos authentication.

The following sections will detail the steps necessary to set up this automation. We will also present optional steps for performing a domain join and modifying the SQL Server service account to support Kerberos authentication through automation. As of this writing, please note that creating an RDS instance with tags is not currently possible via the AWS Management Console; therefore, we will utilize the AWS Command Line Interface (AWS CLI) for this setup.

Prerequisites

Before we proceed, ensure you have the following prerequisites:

  • An AWS account.
  • An S3 bucket designated for storing your certificate and logging output from Systems Manager commands.
  • All requirements met for creating an RDS Custom instance.
  • The AWS CLI installed and configured.
  • An Amazon Elastic Compute Cloud (Amazon EC2) Windows instance with SQL Server Management Studio (SSMS) installed.
  • An SSL certificate that fulfills SQL Server encryption requirements and is stored in the S3 bucket. Since we can obtain the RDS endpoint prior to creating the RDS Custom instance, we create a certificate with the RDS endpoint included in the subject property. For instance, an RDS endpoint URL looks like this:

To determine the constant portion of your RDS endpoint URL, refer to Finding the DB instance endpoint and port number.

  • DNS resolution configured if you intend to perform a domain join. This can be accomplished through various methods, such as utilizing an Amazon Route 53 outbound endpoint to forward DNS requests to your DNS server. For further details, visit Forwarding outbound DNS queries to your network.

This solution will incur costs on your account due to the creation and use of new AWS resources; please consult AWS Pricing for additional information. We recommend testing this setup in a non-production environment before deploying it in a production setting.

Create a Certificate Password Secret

Storing the certificate password in Secrets Manager prevents unauthorized access and facilitates automation using a Systems Manager command document. In this instance, we utilize a certificate issued by an Enterprise Certificate Authority (CA) that contains the certificate, private key, and intermediate certificate in Personal Information Exchange (PFX) format, secured with a password. The same password is necessary for importing the certificate into RDS Custom.

To create the certificate password secret, follow these steps:

  1. Create a file named CertPass.json with the following content:
{
   "password": "<CERTPASSWORD>"
}
  1. To create a secret, execute the following AWS CLI command:
aws secretsmanager create-secret --name RDSSSLCert --description "Password to perform SSL certificate import into RDS Custom" --secret-string file://CertPass.json --region <AWS region>

The command will return details about the secret.

Next, ensure that the AWS Identity and Access Management (IAM) role associated with RDS Custom has permission to access the secret you created. Additionally, the RDS Custom instance must be authorized to download the SSL certificate from the S3 bucket and log output to the S3 bucket created earlier.

Create a file called policy.json with the following content:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "SSLSecret",
         "Effect": "Allow",
         "Action": "secretsmanager:GetSecretValue",
         "Resource": "<SecretARN>"
      },
      {
         "Sid": "GetSSLCert",
         "Effect": "Allow",
         "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:PutObjectAcl"
         ],
         "Resource": "<S3BucketARN>"
      }
   ]
}

To add this policy to the RDS Custom IAM role, run the following AWS CLI command:

aws iam put-role-policy --role-name <AWSRDSCustomSQLServerInstanceRole> --policy-name RDSSSLCert --policy-document file://policy.json

This command does not produce an output.

Create a Systems Manager Command Document

A Systems Manager document (SSM document) is a collection of commands for Systems Manager to execute on your managed instances. In this case, we will define the commands to be executed on your RDS Custom instance during its creation. Below is a YAML file containing a set of PowerShell commands that automate several steps:

  • Create a folder on drive C: and download the certificate file from Amazon S3.
  • Retrieve the password needed for certificate import from Secrets Manager.
  • Import the certificate into the local machine certificate store.
  • Grant read permissions on the certificate’s private key to the network service account.
  • Move the intermediate certificate to the local machine Trusted Root Certification Authorities certificate store.
  • Enable SSL encryption on SQL Server.
  • Restart the SQL Server service.

Create a file named RDSSSLConfig.yaml with the following content, ensuring to replace placeholders with your account information, including the S3 bucket name and certificate file name. Uncomment the section in the PowerShell script that moves the intermediate certificate to the Trusted Root Certification Authorities certificate store to automate this task. This will execute the commands and facilitate the certificate move operation automatically. It’s crucial to move the intermediate certificate to the local trusted root certificate store, especially if the certificate was issued by a non-trusted CA, as this will eliminate the need to specify the Trust Server Certificate option when connecting via SSL.

schemaVersion: "2.2"
description: "Command Document to configure SSL encryption on RDS Custom for SQL Server."

Be sure to check out this blog post for insights into six-figure salaries. For further guidance on employment law compliance, including preventing harassment, SHRM is a reliable authority on the subject. If you’re navigating the hiring process, this resource is excellent!

SEO Metadata

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *