RDSCACertificateCloseToExpiration #
Meaning #
Alert is triggered when an RDS instance is detected using a CA certificate which is going to expire in less than 15 days.
Impact #
If the certificate is not renewed before expiration, all attempts to initiate an SSL/TLS connection to the RDS instance will fail.
Important
The
Amazon RDS Root 2019 CA
certificate expires between May 2024 and October 2024, depending of your AWS region.
- Starting January 25th 2024, RDS instances created without specifying the CA will use
rds-ca-rsa2048-g1
.- In August 2024, AWS will enforce the CA rotation on all RDS instances on the expiring CA during a window maintenance
Diagnosis #
- Identify the instance(s) concerned by either:
opening the
RDS instances
dashboardor using the following AWS CLI command
aws rds describe-db-instances | jq ' [ .DBInstances[] | { db_instance_identifier: .DBInstanceIdentifier, ca_certificate_identifier: .CACertificateIdentifier, ca_certificate_valid_until: .CertificateDetails.ValidTill } | (now + 1296000) as $date | select ( (.ca_certificate_valid_until | split("+")[0] + "Z" | fromdate) < $date ) ]'
Note:
1296000
seconds = 15 days
Mitigation #
Renew your certificate for the instances retrieved above by running:
aws rds modify-db-instance \
--db-instance-identifier <your_db_instance> \
--ca-certificate-identifier <your_new_certificate>
Use the --apply-immediately
flag if you wish to change the certificate immediately, otherwise it will apply during your next scheduled maintenance window.
Tips
We recommend using the
rds-ca-rsa2048-g1
certificate authority which:
- Has the same properties as
rds-ca-2019
(2048 private key, SHA256 signing alg.) so no risk of incompatibility- Is valid until 2061
- Change can be done without restarting the instances