AWS RDS does not enforce SSL/TLS encryption

Published Thu, Mar 10th, 2022


The AWS RDS service does not enable secure transport layer security by default, allowing clients to connect insecurely. Additionally, for the more commonly used MySQL and MariaDB RDS engine types, this setting cannot be enabled at all.

Affected Services



For databases other than MySQL and MariaDB, modify the require_secure_transport or rds.force_ssl values of the attached DB cluster parameter group. For MySQL and MariaDB there is no known workaround, other than ensuring clients connect to these database types only within the VPC. In general, ensure that RDS database instances without SSL/TLS enabled are not exposed over public networks.

Tracked CVEs

No tracked CVEs


Disclosure Date
Sun, Dec 26th, 2021
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Riyaz Walikar, Kloudle