Is it possible to use AWS RDS Postgres SSL connections with DNS Aliases rather than AWS Endpoint?

3
votes

RDS Postgres instances have an auto-generated SSL certificate that uses the endpoint name as the certificate common name. Creating an SSL connection to the instance using that auto-generated certificate is trivial.

Is it possible to update the existing certificate, or generate and additional certificate, so that a domain alias can be used for the endpoint when initialing an SSL connection, rather than the endpoint name?

e.g. I have a domain alias setup as testdb.mydomain.com CNAME testd.abcd1234hj1.us-east-1.rds.amazonaws.com and want to be able to initiale an SSL connection to testdb.mydomain.com

I use domain name aliases for my AWS RDS Postgres instance endpoints e.g. testdb.mydomain.com CNAME testdb.abcd1234asds.us-east-1.rds.amazonaws.com

2
postgresqlamazon-web-servicessslamazon-rds

2 Answers

5
votes

Is it possible to update the existing certificate, or generate and additional certificate, so that a domain alias can be used for the endpoint when initialing an SSL connection, rather than the endpoint name?

Unfortunately, this is not currently supported with RDS. There is no way to update RDS to use a custom certificate that matches your CNAME. The only way to possibly do this is at the client side if you are using an application framework that enables you to write code to handle certification validation errors. In that case, you can implement code that permits certificate validation errors for the specific RDS endpoint to be ignored while failing for any other endpoint.

1
votes

Even though it's not possible to use DNS aliases directly (as mentioned by @Ashaman Kingpin), we can still avoid passing the CNAME to any resource that needs it.

Let's say a lambda function needs to connect to the database, we can pass the DNS alias, resolve the CNAME within the lambda and use the resulting CNAME to connect to RDS using aws certificates.