RDS instance or cluster enforces SSL/TLS encryption for client connections
rds_instance_transport_encrypted
RDS DB instances and DB clusters enforce SSL/TLS for client connections via parameter groups. The check looks for rds.force_ssl=1 (PostgreSQL, SQL Server) or require_secure_transport enabled (MySQL-family) and identifies databases where encryption enforcement isn't active.
Risk
Without enforced TLS, clients can connect or downgrade to plaintext, exposing credentials and queries to interception. Adversaries can perform MITM, steal secrets, and tamper traffic, undermining confidentiality and integrity and enabling reuse of captured database credentials.
prowler aws --checks rds_instance_transport_encrypted
Recommendation
Enforce transport encryption at the database layer:
- Enable
rds.force_ssl=1orrequire_secure_transportin parameter groups - Configure clients to require certificate validation and prevent fallback
- Use current TLS versions and trusted CAs
- Prefer private network access as defense in depth
Remediation
aws rds modify-db-parameter-group --region <REGION_NAME> --db-parameter-group-name <PARAMETER_GROUP_NAME> --parameters ParameterName='rds.force_ssl',ParameterValue='1',ApplyMethod='pending-reboot'
- In the AWS Console, go to RDS > Parameter groups
- For DB instances:
- Edit the DB parameter group attached to the instance (or create one and attach it)
- Set rds.force_ssl = 1 for PostgreSQL/SQL Server, or require_secure_transport = 1 for MySQL/MariaDB
- Save. If the parameter is static, reboot the instance
- For Aurora clusters:
- Edit the DB cluster parameter group attached to the cluster (or create one and attach it)
- Set rds.force_ssl = 1 for Aurora PostgreSQL, or require_secure_transport = ON for Aurora MySQL
- Save. Reboot instances if changes are pending-reboot
- Verify the parameter group is associated to the target instance/cluster and status shows the new value applied
Source Code
Resource Type
AwsRdsDbInstance