Allow EC2 instance to connect to RDS MySQL instance via SSL using CA certificate

0
votes

I have an AWS EC2 instance and a MySql RDS instance.

Now I want EC2 to connect to RDS using SSL.

I downloaded a RDS SSL certificate provided by Amazon. Then I uploaded the SSL certificate to the EC2, connected to EC2 through SSH and checked if SSL DB connection worked running something like 

mysql --ssl-ca=path_to_cert.pem --ssl-mode=REQUIRED -h my_mysql_instance_url .......

Everything worked perfectly.

The goal is to automate this process of adding certificate to the EC2 when creating EC2 from AMI.

So, I see a few options:

  • manually update the AMI itself to include the CA certificate file, so created EC2 instances have it too
  • write a script on the AMI side which when running instances somehow downloads the CA certificate to their file system
  • use any another method which doesn't require downloading CA certificate file

What is the best practice?

1
amazon-web-servicesssl-certificateamazon-rds

1 Answers

0
votes

You may add the SSL certificate in AWS Certificate Manager. And then customized your AMI to include that SSL certificate from ACM during the instance spinning up.

Following documents might help as a reference.

https://docs.aws.amazon.com/cli/latest/reference/acm/import-certificate.html then during the startup of EC2 instances download the cert via 'aws acm get-certificate' documented at https://docs.aws.amazon.com/cli/latest/reference/acm/get-certificate.html