更新Amazon RDS SSL/TLS证书-Elastic Beanstalk [英] Update Amazon RDS SSL/TLS Certificates - Elastic Beanstalk

问题描述

AWS最近宣布需要:

AWS recently announced the need to:

在2019年10月31日之前更新您的Amazon RDS SSL/TLS证书

Update Your Amazon RDS SSL/TLS Certificates by October 31, 2019

我有一个由经典的Elastic Beanstalk负载均衡器托管的Rails应用程序，该负载均衡器使用RDS连接到Postgres数据库.

I have a Rails application hosted with a classic Elastic Beanstalk load balancer, which connects to a Postgres DB using RDS.

根据Amazon的必需步骤是:

The required steps according to Amazon are:

1. 从使用SSL/TLS加密与数据库实例的连接"中下载新的SSL/TLS证书.
2. 更新数据库应用程序以使用新的SSL/TLS证书.
3. 修改数据库实例以将CA从rds-ca-2015更改为rds-ca-2019.

( https://docs.aws .amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html )

由于我已经这样设置了负载均衡器(通过HTTP端口80(不是SSL)连接到我的EC2实例，这是否意味着我不需要执行步骤1和2?而只需要执行步骤3?

Since I have my load balancers set up like this (connecting to my EC2 instances via HTTP port 80 (not SSL), does this mean I don't need to follow steps 1 and 2? And only follow step 3?

还是我必须手动下载更新的证书并将其安装/添加到我的负载均衡器或EC实例中?不知道该怎么做.

Or do I have to download the updated certificates and install/add them to my Load balancer or EC instances manually? Not sure how to do that.

推荐答案

步骤1&仅当您的应用程序与MySQL的连接经过TLS加密.

Step 1 & 2 only required if your application connection with MySQL is TLS encrypted.

请勿更改LB TLS ，设置它可能会破坏您的应用程序， RDS TLS 是另一回事.

Do not change LB TLS setting it can break your application, LB TLS is something else, where RDS TLS is something else.

如果您的应用程序仅创建普通连接，则可以安全地直接执行步骤3.

If your application just creation plain connection you are safe to perform directly the step 3.

修改数据库实例以将CA从rds-ca-2015更改为 rds-ca-2019.

Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019.

对于DB来说，通常的做法是，DB应该位于私有子网中，并且不应从公共站点访问它，当您的数据库和后端连接位于Internet而非VPC上时，TLS很有帮助.

Normally practice for DB, DB should be in private subnet and it should not accessible from the public, TLS is helpfull when your Database and Backend connection is on the internet, not within VPC.

MySQL客户端与 服务器，可以访问网络的人可以观看您的所有视频 流量并检查客户端与客户端之间发送或接收的数据 服务器.

With an unencrypted connection between the MySQL client and the server, someone with access to the network could watch all your traffic and inspect the data being sent or received between client and server.

这篇关于更新Amazon RDS SSL/TLS证书-Elastic Beanstalk的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！