Control: 6.1 Ensure that RDS instance requires all incoming connections to use SSL
Description
It is recommended to enforce all incoming connections to SQL database instance to use SSL.
Remediation
From Console
- Logon to RDS Console.
- Select the region where the target instance is located.
- Click the ID of the target instance to enter the Basic Information page.
- In the left-side navigation pane, click
Data Security. - Click the
SSL Encryptiontab. - Click the switch next to
Disabledin theSSL Encryptionparameter. - In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption and then click
OK. - Click
Download CA Certificateto download an SSL certificate. - The downloaded SSL certificate is a package including the following files:
p7b file:is used to import the CA certificate on Windows OS.PEM file:is used to import the CA certificate on other systems or for other applications.JKS file:is a Java truststore certificate file used for importing CA certificate chains in Java programs. The password is apsaradb.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v100_6_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v100_6_1 --shareSQL
This control uses a named query:
select arn as resource, case when ssl_status = 'Enabled' then 'ok' else 'alarm' end as status, case when ssl_status = 'Enabled' then title || ' SSL enabled.' else title || ' SSL disabled.' end as reason , account_id as account_id, region as regionfrom alicloud_rds_instance;