RDSCACertificateCloseToExpiration #

Meaning #

Alert is triggered when an RDS instance is detected using a CA certificate which is going to expire in less than 15 days.

Impact #

If the certificate is not renewed before expiration, all attempts to initiate an SSL/TLS connection to the RDS instance will fail.

Important

The Amazon RDS Root 2019 CA certificate expires between May 2024 and October 2024, depending of your AWS region.

• Starting January 25th 2024, RDS instances created without specifying the CA will use rds-ca-rsa2048-g1.
• In August 2024, AWS will enforce the CA rotation on all RDS instances on the expiring CA during a window maintenance

Diagnosis #

• Identify the instance(s) concerned by either:

  • opening the RDS instances dashboard

  • or using the following AWS CLI command

    aws rds describe-db-instances | jq '
      [
        .DBInstances[] |
        {
          db_instance_identifier: .DBInstanceIdentifier,
          ca_certificate_identifier: .CACertificateIdentifier,
          ca_certificate_valid_until: .CertificateDetails.ValidTill
        } |
        (now + 1296000) as $date |
        select (
          (.ca_certificate_valid_until | split("+")[0] + "Z" | fromdate) < $date
        )
      ]'
    

    Note: 1296000 seconds = 15 days

Mitigation #

Renew your certificate for the instances retrieved above by running:

aws rds modify-db-instance \
    --db-instance-identifier <your_db_instance> \
    --ca-certificate-identifier <your_new_certificate>

Use the --apply-immediately flag if you wish to change the certificate immediately, otherwise it will apply during your next scheduled maintenance window.

Tips

We recommend using the rds-ca-rsa2048-g1 certificate authority which:

• Has the same properties as rds-ca-2019 (2048 private key, SHA256 signing alg.) so no risk of incompatibility
• Is valid until 2061
• Change can be done without restarting the instances

Additional resources #

• Using SSL with RDS
• SSL Certificate Rotation