Important Update for Cloud Infrastructure Leaders

If you are responsible for your company’s cloud infrastructure, immediate action is required. If your organisation relies on SSL/TLS with certificate verification to connect to Amazon RDS instances (MySQL, MariaDB, SQL Server, Oracle, PostgreSQL, and Amazon Aurora), it’s crucial to rotate your CA certificates before they expire in 2024. This step is essential to avoid disruptions and maintain security.

Key points about Amazon RDS and Amazon Aurora to note:

Expiration Dates for rds-ca-2019:

  • Middle East (Bahrain): 08/05/2024
  • US, Asia Pacific, Canada, Europe, South America: 22/08/2024
  • China: 09/09/2024
  • Africa (Cape Town): 26/10/2024
  • Europe (Milan): 28/10/2024

New CA Certificates:

  • rds-ca-rsa2048-g1: Valid for 40 years
  • rds-ca-rsa4096-g1, rds-ca-ecc384-g1: Valid for 100 years

Essential Actions to Take:

Identify Impacted Resources: Utilise the Certificate update page in the Amazon RDS console to identify all instances requiring certificate updates. This step is critical to scope the necessary changes.

Update Clients and Applications: Ensure all client applications and trust stores are updated with the new CA certificates. This will prevent connectivity issues once the old certificates expire.

Test CA Rotation: Conduct comprehensive testing on a non-production RDS instance. This step is crucial to validate the update process and uncover any potential issues before affecting your production environment.

Update Production Instances: Plan and execute the certificate rotation in your production environment during a scheduled maintenance window to minimise service impact. This is a strategic move to ensure business continuity.

Region-Specific Expiration Dates:

  • 08/05/2024: Middle East (Bahrain)
  • 22/08/2024: US, Asia Pacific, Canada, Europe, South America
  • 09/09/2024: China
  • 26/10/2024: Africa (Cape Town)
  • 28/10/2024: Europe (Milan)

For detailed instructions and additional information, refer to the official AWS blog post: Rotate Your SSL/TLS Certificates Now: Amazon RDS and Amazon Aurora Expire in 2024.

Consequences of inaction in your Amazon RDS and Amazon Aurora

If your organisation does not rotate the CA certificates before their expiration dates, the following critical issues will arise:

  1. Service Disruptions: Your applications and services that use SSL/TLS for secure connections will lose their ability to connect to Amazon RDS instances. This will cause significant downtime and interrupt business operations.
  2. Loss of Secure Protocols: The secure connection protocol will fail as soon as the certificates expire, leading to loss of data encryption and potentially exposing sensitive information.
  3. Production Unavailability: With expired certificates, your production databases will no longer be accessible, causing major disruptions to your business operations and affecting your service availability.
  4. Operational Challenges: Emergency updates and unplanned downtime to rotate certificates can strain your IT resources, impacting other critical projects and initiatives.