问题
AWS recently announced the need to:
Update Your Amazon RDS SSL/TLS Certificates by October 31, 2019
I have a Rails application hosted with a classic Elastic Beanstalk load balancer, which connects to a Postgres DB using RDS.
The required steps according to Amazon are:
- Download the new SSL/TLS certificate from Using SSL/TLS to Encrypt a Connection to a DB Instance.
- Update your database applications to use the new SSL/TLS certificate.
- Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019.
(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html)
Since I have my load balancers set up like this (connecting to my EC2 instances via HTTP port 80 (not SSL), does this mean I don't need to follow steps 1 and 2? And only follow step 3?
Or do I have to download the updated certificates and install/add them to my Load balancer or EC instances manually? Not sure how to do that.
回答1:
Step 1 & 2 only required if your application connection with MySQL is TLS encrypted.
Do not change LB TLS setting it can break your application, LB TLS is something else, where RDS TLS is something else.
If your application just creation plain connection you are safe to perform directly the step 3.
Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019.
Normally practice for DB, DB should be in private subnet and it should not accessible from the public, TLS is helpfull when your Database and Backend connection is on the internet, not within VPC.
With an unencrypted connection between the MySQL client and the server, someone with access to the network could watch all your traffic and inspect the data being sent or received between client and server.
来源:https://stackoverflow.com/questions/58445135/update-amazon-rds-ssl-tls-certificates-elastic-beanstalk