low

AWS RDS does not enforce SSL/TLS encryption

Published Thu, Mar 10th, 2022
Platforms

Summary

The AWS RDS service does not enable secure transport layer security by default, allowing clients to connect insecurely. Additionally, for the more commonly used MySQL and MariaDB RDS engine types, this setting cannot be enabled at all.

Affected Services

RDS

Remediation

For databases other than MySQL and MariaDB, modify the require_secure_transport or rds.force_ssl values of the attached DB cluster parameter group. For MySQL and MariaDB there is no known workaround, other than ensuring clients connect to these database types only within the VPC. In general, ensure that RDS database instances without SSL/TLS enabled are not exposed over public networks.

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Sun, Dec 26th, 2021
Exploitablity Period
Ongoing
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Riyaz Walikar, Kloudle