The CA certificate for the RDS is outdated
ID |
aws_rds_ca_certificate_outdated |
Severity |
low |
Vendor |
AWS |
Resource |
Encryption |
Tags |
reachable |
Description
The CA certificate for the RDS is outdated. As of March 5, 2020, Amazon RDS CA-2015 certificates have expired. If you use or plan to use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) with certificate verification to connect to your RDS DB instances, you require Amazon RDS CA-2019 certificates, which are enabled by default for new DB instances. If you currently do not use SSL/TLS with certificate verification, you might still have expired CA-2015 certificates and must update them to CA-2019 certificates if you plan to use SSL/TLS with certificate verification to connect to your RDS databases.
Learn more about this topic at AWS RDS certificate rotation.
Examples
---
- name: Example playbook
hosts: localhost
tasks:
- name: Create DB instance
amazon.aws.rds_instance:
id: "my-instance-id"
ca_certificate_identifier: rds-ca-2015
state: present
engine: postgres
engine_version: 14.2
username: "{{ username }}"
password: "{{ password }}"
db_instance_class: db.m6g.large
allocated_storage: "{{ allocated_storage }}"
iam_roles:
- role_arn: "{{ iam_role.arn }}"
feature_name: 's3Export'Mitigation / Fix
---
- name: Example playbook
hosts: localhost
tasks:
- name: Create DB instance
amazon.aws.rds_instance:
id: "my-instance-id"
ca_certificate_identifier: rds-ca-2019
state: present
engine: postgres
engine_version: 14.2
username: "{{ username }}"
password: "{{ password }}"
db_instance_class: db.m6g.large
allocated_storage: "{{ allocated_storage }}"
iam_roles:
- role_arn: "{{ iam_role.arn }}"
feature_name: 's3Export'