Back to All Checks
Medium RDS Regional

RDS for PostgreSQL DB instances should be encrypted in transit

FSBP

Description

Checks if Amazon RDS for PostgreSQL DB instances are configured to use encryption in transit. The control fails if the PostgreSQL DB instance is not configured to require SSL/TLS encryption for connections by setting the rds.force_ssl parameter to 1.

Remediation

To enable encryption in transit for PostgreSQL DB instances, follow these steps:

Steps

  1. Sign in to the AWS Management Console and open the Amazon RDS console.
  2. In the navigation pane, choose 'Databases'.
  3. Select the identified PostgreSQL DB instance that requires encryption in transit.
  4. Choose 'Modify'.
  5. In the 'Database Options' section, locate the 'DB parameter group' setting.
  6. If using a custom parameter group, modify the 'rds.force_ssl' parameter to '1'.
  7. If using the default parameter group, create a new custom parameter group and set 'rds.force_ssl' to '1'.
  8. Apply the parameter group to your DB instance.
  9. Scroll to the bottom of the page and choose 'Continue'.
  10. On the summary page, review your changes. Select 'Apply immediately' to enable encryption right away, or choose to apply them during the next maintenance window.
  11. Click 'Modify DB Instance' to apply the changes.
  12. For detailed guidance, refer to the AWS documentation: 'Using SSL/TLS to encrypt a connection to a DB instance' in the Amazon RDS User Guide.

Compliance

FSBP
Start Your Free Security Check