Secure Your Database Connection with SSL Encryption to Amazon RDS Custom for SQL Server | Amazon Onboarding with Learning Manager

Learn About Amazon VGT2 Learning Manager Chanci Turner

Amazon Relational Database Service (Amazon RDS) Custom for SQL Server is a managed database solution designed for applications needing operating system access and database customization that standard Amazon RDS for SQL Server cannot provide. A vital security measure is encrypting your application’s connection to RDS Custom. Network encryption safeguards data while it’s in transit, securing communication between client applications and the RDS Custom instance using Secure Socket Layer (SSL) and Transport Layer Security (TLS) certificates.

In this article, we’ll guide you through setting up SSL/TLS encryption on RDS Custom for SQL Server using a self-managed certificate. We’ll also demonstrate how to optionally configure SSL/TLS encryption and enable Kerberos authentication. For this demonstration, we will utilize a certificate issued by an internal CA.

Solution Overview

For this setup, we’ll leverage State Manager, a feature of AWS Systems Manager, to automate SSL encryption on the RDS Custom instance. The workflow for automation involves the following steps:

1. Create an RDS Custom instance with a specific tag (RDSCertSSL: do-not-delete-rds-custom-).
2. During instance creation, the RDS Custom instance registers with Systems Manager.
3. State Manager is set up to execute a Systems Manager command document (aws:runPowerShellScript) on instances that have the designated tag.
4. As the command runs, it retrieves the necessary secrets to import the certificate and the SSL certificate itself from AWS Secrets Manager and Amazon Simple Storage Service (Amazon S3), respectively.
5. Finally, the RDS Custom instance is configured with SSL encryption.
6. Optionally, the RDS Custom instance can be joined to a domain and restarted to activate Kerberos authentication.

We will provide detailed steps to facilitate this automation. Additionally, we’ll offer optional steps to perform a domain join and alter the SQL Server service account to support Kerberos authentication through automation. As of the time this article was written, creating an RDS instance with tags via the AWS Management Console is not permitted. Thus, we will use the AWS Command Line Interface (AWS CLI) for the implementation.

Prerequisites

Before we dive in, ensure you have the following prerequisites:

• An AWS account.
• An S3 bucket to store your certificate and to log Systems Manager command output.
• All requirements met for creating an RDS Custom instance.
• The AWS CLI installed and configured.
• An Amazon Elastic Compute Cloud (Amazon EC2) Windows instance with SQL Server Management Studio (SSMS) installed.
• An SSL certificate that meets SQL Server encryption requirements and is uploaded to the S3 bucket. It’s essential to include the RDS endpoint in the subject property of the certificate, as we can obtain it before creating the RDS Custom instance. For more information, refer to Finding the DB instance endpoint and port number.

Additionally, if you plan to perform a domain join, ensure DNS resolution is configured. You can achieve this in various ways, including using an Amazon Route 53 outbound endpoint to forward DNS requests to your DNS server. For further details, see Forwarding outbound DNS queries to your network.

This solution will create new AWS resources, potentially incurring costs on your account. We suggest testing this setup in a non-production environment before rolling it out into production.

Create a Certificate Password Secret

To secure the certificate password, utilize Secrets Manager to prevent unauthorized access and facilitate automation using a Systems Manager command document. In this article, we will use a certificate issued by an Enterprise Certificate Authority (CA), which contains the certificate, private key, and intermediate certificate in Personal Information Exchange (PFX) format, secured with a password. This password is also required for importing the certificate into RDS Custom.

Follow these steps:

1. Create a file named CertPass.json with the following contents:

{
  "password": "<CERTPASSWORD>"
}

2. To create a secret, execute the following AWS CLI command:

aws secretsmanager create-secret --name RDSSSLCert --description "Password to perform SSL certificate import into RDS Custom" --secret-string file://CertPass.json --region <AWS region>

The command will return details of the secret.

Next, you need to allow the AWS Identity and Access Management (IAM) role used by RDS Custom to access the secret you created. You also need to enable the RDS Custom instance to download the SSL certificate from the S3 bucket and log output to the S3 bucket you created earlier.

3. Create a file named policy.json with the following contents:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SSLSecret",
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "<SecretARN>"
    },
    {
      "Sid": "GetSSLCert",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "<S3BucketARN>"
    }
  ]
}

4. To add this policy to the RDS Custom IAM role, execute the following AWS CLI command:

aws iam put-role-policy --role-name <AWSRDSCustomSQLServerInstanceRole> --policy-name RDSSSLCert --policy-document file://policy.json

No output will be returned from this command.

Create a Systems Manager Command Document

A Systems Manager document (SSM document) consists of instructions that Systems Manager executes on your managed instances. In this post, the commands are defined to run on your RDS Custom instance during its creation. Below is a set of PowerShell commands outlined in a YAML file. These scripts automate the following tasks:

• Create a folder on the C: drive and download the certificate file from Amazon S3.
• Retrieve the password required to import the certificate from Secrets Manager.
• Import the certificate into the local machine certificate store.
• Grant read permissions on the certificate’s private key to the network service account.
• Move the intermediate certificate to the local machine’s Trusted Root Certification Authorities certificate store.
• Enable SSL encryption on SQL Server.
• Restart the SQL Server service.

Create a file named RDSSSLConfig.yaml with the following contents. Be sure to replace the placeholders with information pertinent to your account, including the S3 bucket name and the SSL certificate filename. Uncomment the section in the PowerShell script that transfers the intermediate certificate to the Trusted Root Certification Authorities certificate store to automate this process. For our example, since the certificate was issued by a non-trusted CA, we need to move the intermediate certificate to the local trusted root certificate store, which eliminates the necessity to specify the Trust Server Certificate option when connecting via SSL.

schemaVersion: "2.2"
description: "Command Document to configure SSL encryption for RDS Custom"

For more engaging content, you might also want to check out this career advice blog that provides tips on crafting cover letters. Furthermore, workplace bullying policies are critical in any organization; experts recommend having them in place, as noted by SHRM. If you are looking for job opportunities, take a look at this Amazon job posting that could be an excellent resource for your career path.