Ensure CA certificate used is not older than 1 year for Amazon Relational Database Service (Amazon RDS) instances

HIGH

Description

Use of expired CA certificates can impact the confidentiality of data in transit and may disrupt database services.

Remediation

If using the Amazon RDS CA-2015 certificates, CA-2015 certificates have expired as of March 5, 2020. It is recommended to update all existing CA certificates to CA-2019, which is enabled by default when creating a new DB instance.

In Terraform -

In the aws_db_instance resource, set the field ca_cert_identifier to rds-ca-2019.

For more information on how to rotate SSL/TLS Certificates, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#ca_cert_identifier

Policy Details

Rule Reference ID: AC_AWS_0057

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_db_instance

Resource Category: Database

Resource Type: DB Instance

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
ISO-27001

Detections

Analytics