How to use SSL with AWS RDS Mysql DB Instances

Please share it on

To establish secure connections between your client and RDS Mysql DB Instance, you should use SSL certificates to encrypt the connections. It is highly recommended to encrypt the connections between RDS and your client in case if you are using confidential data.

Amazon RDS supports SSL connections with DB instances running the MySQL database engine. Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority.

The public key is stored at https://rds.amazonaws.com/doc/mysql-ssl-ca-cert.pem.

Download the key and save it in your ec2 instance/your dedicated server.

The SSL support in Amazon RDS is strictly for encrypting the connection between your client and your DB instance; it should not be relied on for authenticating the server.

To encrypt connections using the default mysql client, launch the mysql client using the –ssl_ca parameter to reference the public key.

For example :

mysql -h myinstance.sssssssssss.rds-us-east-1.amazonaws.com –ssl_ca=mysql-ssl-ca-cert.pem -u “username” -p

you can use the GRANT statement to require SSL connections for specific users accounts. For example, you can use the following statement to require SSL connections on the user account encrypted_user:

GRANT USAGE ON *.* TO ‘username’@’%’ REQUIRE SSL

To check SSL support, use the following example command.

If SSL enables, the output will be like this

mysql> show variables like “%ssl”;
+—————+——-+
| Variable_name | Value |
+—————+——-+
| have_openssl | YES |
| have_ssl | YES |
+—————+——-+
2 rows in set (0.11 sec)

If SSL disabled, the output will be like this

mysql> show variables like “%ssl”;
+—————+———-+
| Variable_name | Value |
+—————+———-+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
+—————+———-+
2 rows in set (0.02 sec)

Please share it on

1 Comment for “How to use SSL with AWS RDS Mysql DB Instances”

Leave a Reply

Your email address will not be published. Required fields are marked *