Protecting any app that deals with sensitive information means making sure that it is safe while it is being sent. When you host PostgreSQL on Amazon RDS, it enables Secure Sockets Layer (SSL) connections.
This means that data transfers between your app and the database can be protected. This makes sure that private information is safe from being intercepted or changed while it is being sent.
This post will show you how to use SSL with a PostgreSQL DB instance on Amazon RDS, including what you need to do first, how to set it up, and the best ways to do so.
Enabling SSL on Your RDS PostgreSQL Instance
By default, Amazon RDS for PostgreSQL supports SSL. But to make SSL work and set up your client correctly, you need to do a few more things.
1. Check the SSL Configuration
Go to your RDS instance in the AWS Console and review the associated parameter group. If you are using PostgreSQL version 15 or newer, rds.force_ssl may be enforced by default.
Navigate to RDS > Databases > [your database] > Configuration
Open the linked Parameter group
Find the rds.force_ssl parameter:
- If set to 1, SSL is required.
- If set to 0, SSL is optional.
2. How to Enforce SSL in RDS (If SSL is not Enforced in RDS)
If rds.force_ssl parameter is 0 you must set it to 1. By default, parameter groups in AWS RDS are read-only and cannot be modified. Therefore, to enable rds.force_ssl = 1, you must create a custom parameter group.
Create a Custom Parameter Group:
By default, parameter groups in AWS RDS are read-only and cannot be modified. Therefore, to enable rds.force_ssl = 1, you must create a custom parameter group.
Go to RDS → Parameter groups → Click “Create parameter group”
- Fill in the fields as follows:
- Parameter group family: postgres14
- Group name: custom-postgres14-ssl
- Description: Enable SSL for PostgreSQL 14
- Click Create
Set rds.force_ssl = 1 in your new parameter group:
- Select your newly created parameter group
- Click “Edit parameters”
- Search for rds.force_ssl and change its value from 0 ➝ 1
- Click Save
Attach the custom parameter group to your RDS instance:
Go to RDS → Databases → Click your instance (database-1)
Click “Modify”
In the DB parameter group dropdown, select the custom group:
custom-postgres14-ssl
Scroll to the bottom and choose 'Apply immediately'.
Click “Continue” and then “Apply changes”
3. Download the AWS RDS Root Certificate
To establish a secure SSL connection, you must download the root certificate authority (CA) file from AWS.
You can find the latest region-specific certificates here:
Using SSL with Amazon RDS PostgreSQL
Connecting with SSL
Once you’ve downloaded the certificate, you can connect to your RDS PostgreSQL instance using several methods.
Using a GUI Tool (e.g., DBeaver)
In your tool of choice, create a new PostgreSQL connection:
- Enter the RDS endpoint, port (5432), database name, and credentials.
- Under SSL settings:
- Enable SSL (usually a checkbox).
- Set SSL Mode to require or verify-ca.
- Upload the RDS Root CA certificate you previously downloaded.
Using Terminal (psql CLI)
You can also connect securely via the terminal:
psql "host=mydb.xxxxxx.rds.amazonaws.com port=5432 dbname=mydb user=myuser password=mypass sslmode=verify-full sslrootcert=rds-ca-2019-root.pem"
sslmode=verify-full: Ensures both certificate and hostname validation.
sslrootcert: Path to the downloaded certificate file.
This configuration helps ensure both confidentiality and integrity of the data transmitted.
For more information and certificate downloads, refer to the official documentation:
Using SSL with Amazon RDS PostgreSQL
Top comments (0)